Red Hat Enterprise Linux 7 Hat Enterprise Linux 7 7.5 Release Notes Release Notes for Red Hat...

Red Hat Enterprise Linux 7

7.5 Release Notes

Release Notes for Red Hat Enterprise Linux 7.5

Last Updated: 2018-06-13

Red Hat Enterprise Linux 7 7.5 Release Notes

Release Notes for Red Hat Enterprise Linux 7.5

Red Hat Customer Content [email protected]

Legal Notice

Copyright © 2018 Red Hat, Inc.

This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0Unported License. If you distribute this document, or a modified version of it, you must provideattribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hattrademarks must be removed.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinitylogo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and othercountries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union andother countries.

Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related toor endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marksor trademarks/service marks of the OpenStack Foundation, in the United States and other countriesand are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed orsponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract

The Release Notes provide high-level coverage of the improvements and additions that have beenimplemented in Red Hat Enterprise Linux 7.5 and document known problems in this release, as wellas notable bug fixes, Technology Previews, deprecated functionality, and other details.

http://creativecommons.org/licenses/by-sa/3.0/

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

PREFACE

CHAPTER 1. OVERVIEWSecurity and CompliancePerformance and EfficiencyPlatform ManageabilityIdentity Management and Access ControlSupport for Architectures in the New Kernel VersionVirtualizationRed Hat InsightsRed Hat Customer Portal Labs

CHAPTER 2. ARCHITECTURESSupport for Architectures in the kernel-alt Packages

CHAPTER 3. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERSKERNEL PARAMETERSKERNEL PARAMETERS TO MITIGATE SPECTRE AND MELTDOWN ISSUESUPDATED /PROC/SYS/NET/CORE ENTRIES

PART I. NEW FEATURES

CHAPTER 4. GENERAL UPDATESIn-place upgrade from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7The setup package now provides a way to override unpredictable environment settings

CHAPTER 5. AUTHENTICATION AND INTEROPERABILITYWindows Server 2016 forest and domain functional levels now supported for trustDirectory Server no longer displays replication conflict entries in search resultsOpenLDAP is now compiled with OpenSSL instead of NSSSamba rebased to version 4.7.1The SSSD LDAP provider can now automatically create user private groups for usersSSSD enrolled to an AD domain remembers the discovered AD site after the first successful connectionSSSD logs changes in its status to syslogSSSD performance has improvedThe pwdhash utility can now retrieve the storage scheme from the configuration directoryNew utility to compare two Directory Server instancesDirectory Server now supports enabling the memberOf plug-in on read-only replicasDirectory Server rebased to version 1.3.7.5Directory Server supports additional password storage schemesDirectory Server now uses separate normalized DN caches for each worker threadpki-core rebased to version 10.5.1Certificate System supports installing CA, KRA, and OCSP subsystems with CMCCertificate System supports creating instances running as a different userCertificate System can now create PKCS #12 files using PBES2 with PBKDF2 key derivationCertificate System CAs can now process CMC renewal requests signed by a previously issued signing certificate

Certificate System now uses the Mozilla NSS secure random number generatorAudit event changes in Certificate Systemkrb5 now includes the kdcpolicy interfaceCertificate System now supports configurable hashing algorithms for the SKI extensionThe pki command-line interface automatically creates a default NSS databaseCertificate System disables weak 3DES ciphers by default

15

161616161617171717

1919

21212222

24

252525

26262626262727272727272828282828282929

29292929303030

Table of Contents

1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Certificate System CA subsystem's OCSP provider now includes the nextUpdate field in responsesding-libs rebased to version 0.6.1

CHAPTER 6. CLUSTERINGNew SNMP agent to query a Pacemaker clusterSupport for Red Hat Enterprise Linux High Availability clusters on Amazon Web ServicesSupport for Red Hat Enterprise Linux High Availability clusters on Microsoft AzureUnfencing is done in resource cleanup only if relevant parameters changedThe pcsd port is now configurableFencing and resource agents are now supported by AWS Python libraries and a CLI clientFencing in HA setups is now supported by Azure Python librariesNew features added to the sbd binary.sbd rebased to version 1.3.1Cluster status now shows by default when a resource action is pendingclufter rebased to version 0.77.0Support for Sybase ASE failover

CHAPTER 7. COMPILER AND TOOLSThe linuxptp package now supports active-backup bonding for clock synchronizationparted can now resize partitions using the resizepart commandbinutils rebased to version 2.27pcp rebased to version 3.12.2Improved DWARF 5 support in various toolssystemtap rebased to version 3.2valgrind rebased to version 3.13.0ncat rebased to version 7.50rsync rebased to version 3.1.2tcpdump can now analyze virtio trafficVim now supports C++11 syntax highlightingVim now supports the blowfish2 encryption methodThe IO::Socket::SSL Perl module now uses the system-wide CA certificate store by defaultperl-DateTime-TimeZone rebased to version 1.70system-config-kdump now support selecting of either automated or manual kdump memory settings when fadumpis performedconman rebased to version 0.2.8Support for the TFTP windowsize option has been implementedcurl now supports disabling GSSAPI with SOCKS5The rsync utility now copies files with their original nanosecond part of the time stamptcpdump rebased to version 4.9.2OProfile support for Intel Xeon processor family extendedSupport for Intel Xeon v4 uncore performance events in libpfm, pcp, and papiMemory copying performance improved on IBM POWER architecturesTAI clock macro availableSupport for selective use of 4 KiB page tables on IBM z SystemsMore efficient glibc functions on IBM z SystemsThe ld linker no longer incorrectly combines position-dependent and independent codepython-virtualenv rebased to 15.1.0python-urllib3 supports IP addresses in subjectAltNameSupport for retpolines added to GCCShenandoah garbage collector is now fully supported

CHAPTER 8. DESKTOPGNOME Shell rebased to version 3.26gnome-settings-daemon rebased to version 3.26

3030

31313131313131313131323232

333333333334343535353636363636

3737373737373838383838383838383839

404040

7.5 Release Notes

2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

libreoffice rebased to version 5.3GIMP rebased to version 2.8.22Inkscape rebased to version 0.92.2webkitgtk4 rebased to version 2.16qt5 rebased to version 5.9.2New package: qgnomeplatformModemManager rebased to version 1.6.8New packages: libsmbiosmutter rebased to version 3.26The SANE_USB_WORKAROUND environmental variable can make older scanners usable with USB3The libyami package added for better video stream handlingnetpbm rebased to version 10.79.00Red Hat Enterprise Linux 7.5 supports libvaGStreamer now supports mp3GNOME control-center rebased to version 3.26New package: emacs-php-modeDutch keyboard layout provided

CHAPTER 9. FILE SYSTEMSSMB 2 and SMB 3 now support DFSFile system DAX now performs better when mapping a large amount of memoryquotacheck is now faster on ext4

CHAPTER 10. HARDWARE ENABLEMENTBroadcom 5880 smart card readers with the updated firmware are now supportedfwupd now supports Synaptics MST hubskernel-rt sources updatedImproved RT throttling mechanismVMware Paravirtual RDMA Driveropal-prd rebased to version 5.9libreswan now supports NIC offloadingTrusted Computing Group TPM 2.0 System API library and management utilities availablenew packages: tpm2-abrmd

CHAPTER 11. INSTALLATION AND BOOTINGAssigning mount points to existing block devices is now possible in Kickstart installationsThe livemedia-creator utility now provides a sample Kickstart file for UEFI systemsNew option for the network Kickstart command binding the device configuration file to the device MAC address

New options for Kickstart %packages allow configuring Yum timeout and number of retriesThe Red Hat Enterprise Linux 7 ISO image can be used to create guests virtual machines on IBM z SystemsARPUPDATE option for ifcfg-* files has been introducedThe --noconfig option added for the rpm -V commandifcfg-* files now allow you to specify a third DNS serverMulti-threaded xz compression in rpm-build

CHAPTER 12. KERNELMemory Protection Keys are now supported in later Intel processorsEDAC support added for Pondicherry 2 memory controllersMBA is now supportedSwap optimizations enable fast block devices to be used as secondary memoryHID Wacom rebased to version 4.12New livepatch functionality improves the latency and success rate of the kpatch-patch packagesPersistent Kernel Module Upgrade (PKMU) supported

4040414242424343434343444444444444

46464646

47474747474747484848

494949

49494950505050

5151515151515151

Table of Contents

3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Linux kernel now supports encrypted SMB 3 connectionsSME enabled on AMD Naples platformsSupport for the ie31200_edac driverEDAC now supports GHESCUIR enhanced scope detection is now fully supportedkdump allows a vmcore collection without the root file system being mountedKASLR fully supported and enabled by defaultIntel® Omni-Path Architecture (OPA) Host Softwarenoreplace-paravirt has been removed from the kernel command line parametersThe new EFI memmap implementation is now available on SGI UV2+ systemsMounting pNFS shares with flexible file layout is now fully supported

CHAPTER 13. NETWORKINGError handling in the output of the dhcp-script has been improvedNetwork namespace isolation has been added to ipsetNetworkManager now supports multiple routing tables to enable source routingnftables rebased to version 0.8Persistent DHCP client behavior added to NetworkManagerNetworkManager exposes new properties to expose team optionsPackets mark is now reflected on repliesNew Socket timestamping options for NTPiproute2 rebased to version 4.11.0The tc-pedit action now supports offset relative to Layer 2 and Layer 4Features backported to iprouteThe Geneve driver rebased to version 4.12A control switch added for VXLAN and GENEVE offloadingunbound rebased to version 1.6.6DHCP now supports standard dynamic DNS updatesDDNS now supports additional algorithmsIPTABLES_SYSCTL_LOAD_LIST now supports the sysctl.d filesSCTP now supports MSG_MOREMACsec rebased to version 4.13Enhanced performance when using the mlx5 driver in Open vSwitchThe Netronome NFP Ethernet driver now supports the representor netdev featureSupport for offloading TC-Flower actionsDNS stub resolver improvements

CHAPTER 14. SECURITYLUKS-encrypted removable storage devices can be now automatically unlocked using NBDEnew package: clevis-systemdOpenSCAP can be now integrated into Ansible workflowsSECCOMP_FILTER_FLAG_TSYNC enables synchronization of calling process threadsnss rebased to version 3.34SSLv3 disabled in mod_sslLibreswan now supports split-DNS configuration for IKEv2libreswan now supports AES-GMAC for ESPopenssl-ibmca rebased to 1.4.0opencryptoki rebased to 3.7.0atomic scan with configuration_compliance enables creating security-compliant container images at build time

tang-nagios enables Nagios to monitor Tangclevis now logs privileged operationsPK11_CreateManagedGenericObject() has been added to NSS to prevent memory leaks in applications

5252525252525253535353

545454545454555555555656565656575758585858585859

6060606060606061616161

61616262

7.5 Release Notes

4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

OpenSSH now supports openssl-ibmca and openssl-ibmpkcs11 HSMscgroup_seclabel enables fine-grained access control on cgroupsThe boot process can now unlock encrypted devices connected by networkSELinux now supports InfiniBand object labelinglibica rebased to 3.2.0SELinux now supports systemd No New PrivilegesLibreswan rebased to version 3.23libreswan now supports IKEv2 MOBIKEscap-workbench rebased to version 1.1.6OpenSCAP is now able to generate results for DISA STIG Viewerselinux-policy no longer contains permissive domainsaudit rebased to version 2.8.1OpenSC now supports the SCE7.0 144KDI CAC Alt. tokens

CHAPTER 15. SERVERS AND SERVICESLeftover dbus processesdbus rebased to version 1.10tuned rebased to version 2.9.0chrony rebased to version 3.2SNMP page counting can be now disabled in CUPSCUPS can be set to use only ciphers from TLS version 1.2 or laterThe squid packages now provide the kerberos_ldap_group helperOpenIPMI rebased to version 2.0.23Overview of changes from freeIPMI 1.2.9 to freeIPMI 1.5.7A new clear_env option available in PHP FPM pool configuration

CHAPTER 16. STORAGEData Deduplication and Compression with VDONew boom utility for managing LVM snapshot and image boot entriesDM Multipath no longer requires reservation keys in advanceNew property parameter supported in blacklist and blacklist_exception sections of multipath.confsmartmontools now support NVMe devicesSupport for DIF/DIX (T10 PI) on specified hardwareFile system Direct Access (DAX) and device DAX now support huge pagesfsadm can now grow and shrink LUKS-encrypted LVM volumes

CHAPTER 17. SYSTEM AND SUBSCRIPTION MANAGEMENTcockpit rebased to version 154Users of yum-utils now can perform actions prior to transactionsyum can disable creation of per-user cache as a non-root useryum-builddep now allows to define RPM macrossubscription-manager now displays the host name upon registrationA subscription-manager plugin now runs with yum-config-managersubscription-manager now protects all product certificates in /etc/pki/product-default/rhn-migrate-classic-to-rhsm now automatically enables the subscription-manager and product-id yum pluginssubscription-manager now automatically enables the subscription-manager and product-id yum pluginssubscription-manager-cockpit replaces subscription functionality in cockpit-systemvirt-who logs where the host-guest mapping is sentvirt-who now provides configuration error information

CHAPTER 18. VIRTUALIZATIONKVM virtualization on IBM z SystemsKVM virtualization supported on IBM POWER9KVM virtualization supported on IBM POWER8

62626262636363646464646465

6666666666666767676767

686868686869697070

71717171717172727272727272

73737373

Table of Contents

5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NVIDIA GPU devices can now be used by multiple guests simultaneouslyKASLR for KVM guestsParallel decompression of OVA files supportedSMAP now supported on Cannonlake guestslibvirt rebased to 3.9.0virt-manager rebased to 1.4.3virt-what rebased to version 1.18tboot rebased to version 1.96virt-v2v can convert VMware guests with snapshotsvirt-rescue enhancedvirt-v2v now converts Linux guests encrypted with LUKSCAT support added to libvirt on specific CPU modelsPTP device added to improve time synchronization of KVM guests

CHAPTER 19. RED HAT ENTERPRISE LINUX 7.5 FOR ARM19.1. NEW FEATURES AND UPDATES19.2. KERNEL CONFIGURATION CHANGESHARDWARE ENABLEMENTCORE KERNEL SUPPORT19.3. SUPPORT IN RED HAT SATELLITE19.4. KNOWN ISSUES19.5. BUG FIXES

CHAPTER 20. RED HAT ENTERPRISE LINUX 7.5 FOR IBM POWER LE (POWER9)20.1. NEW FEATURES AND UPDATES20.2. KERNEL CONFIGURATION CHANGESHARDWARE ENABLEMENTCORE KERNEL SUPPORT20.3. SUPPORT IN RED HAT SATELLITE20.4. KNOWN ISSUES20.5. BUG FIXES

CHAPTER 21. ATOMIC HOST AND CONTAINERSRed Hat Enterprise Linux Atomic Host

CHAPTER 22. RED HAT SOFTWARE COLLECTIONS

PART II. NOTABLE BUG FIXES

CHAPTER 23. GENERAL UPDATESrunc notifies systemd about user-specified CPU quota limitsSegmentation faults in applications because of only non-existent paths in LD_LIBRARY_PATH no longer happen

The setup package now creates the tape group with the correct group number

CHAPTER 24. AUTHENTICATION AND INTEROPERABILITYThe IdM LDAP server no longer becomes unresponsive when resolving an AD user takes a long timeApplication configuration snippets in /etc/krb5.conf.d/ are now automatically read in existing configurationspam_mkhomedir can now create home directories under /Kerberos operations depending on KVNO in the keytab file no longer fail when a RODC is usedkrb5 properly displays errors about PKINIT misconfiguration in single-realm KDC environmentsCertificate System no longer incorrectly logs ROLE_ASSUME audit eventsUpdated attributes in CERT_STATUS_CHANGE_REQUEST_PROCESSED audit log eventSigned audit log verification now works correctlyCertificate System now validates the banner file

73737474747475757576767676

7777777779818182

8484858586888890

9191

92

93

9494

9494

95959595959596969696

7.5 Release Notes

6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The TPS subsystem no longer fails when performing a symmetric key changeover on a HSMCertificate System CAs no longer display an error when handing subject DNs without a CN componentThe pki-server-upgrade utility no longer fails if target files are missingThe Certificate System CA key replication now works correctlyCertificate System no longer fails to import PKCS #12 filesThe TPS user interface now displays the token type and origin fieldsCertificate System issued certificates with an expiration date later than the expiration date of the CA certificate

CA certificates without SKI extension no longer causes issuance failuresCertificate System correctly logs the user name in CMC request audit eventsThe Directory Server trivial word check password policy now works as expectedThe pkidestroy utility now fully removes instances that are started by the pki-tomcatd-nuxwdog serviceThe Certificate System deployment archive file no longer contains passwords in plain textACIs with the targetfilter keyword work correctlyDirectory Server searches with a scope set to one have been fixedClear error message when sending TLS data to a non-LDAPS portDirectory Server no longer logs an error if not running the cleanallruv taskUsing a large number of CoS templates no longer slow down the virtual attribute processing timeDirectory Server now handles binds during an online initialization correctlyThe [email protected] meta target is now linked to multi-user.targetThe memberOf plug-in now logs all update attempts of the memberOf attributeThe Directory Server password policies now work correctlyA buffer overflow has been fixed in Directory ServerDirectory Server now sends the password expired control during grace loginsAn unnecessary global lock has been removed from Directory ServerReplication now works correctly with TLS client authentication and FIPS mode enabledDirectory Server now correctly sets whether virtual attributes are operationalBackup now succeeds if replication was enabled and a changelog file existedCertificate System updates the revocation reason correctlyA race condition has been fixed in the Certificate System clone installation processCertificate System now uses strong ciphers by defaultThe pkispawn utility no longer displays incorrect errorsThe Certificate System profile configuration update method now correctly handles backslashes

CHAPTER 25. CLUSTERINGPacemaker correctly implements fencing and unfencing for Pacemaker remote nodesPacemaker now probes guest nodesThe pcs resource cleanup command no longer generates unnecessary cluster loadWarning generated when user specifies action attribute for stonith deviceIt is now possible to enable stonith agent debugging without specifying the --force flagThe fence_ilo3 resource agent no longer has a default value of cycle for the action parameterPacemaker no longer starts up when sbd is enabled but not started successfully by systemdA fenced node in an ‘sbd’ setup now shuts down reliablyIPaddr2 resource agent now finds NIC for IPv6 addresses with 128 netmaskportblock agent no longer yields excessive unnecessary messages/var/run/resource-agents directory now persists across reboots

CHAPTER 26. COMPILER AND TOOLSPackage selection now works in system-config-kickstartNVMe devices no longer show up as Unknown in parted and AnacondaDBD::MySQL now sends and receives smaller integers correctly on big-endian platformsThe version Perl module now supports tainted input and tainted version objectsThe HTTP::Daemon Perl module now supports IPv6

969697979797

979797979898989898989999999999999999

100100100100100100101101

102102102102102102102103103103103103

104104104104104104

Table of Contents

7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

GDB shows inline function names in breakpoint listingRelocation failures at module load time due to wrong GCC alignment fixedThe istream::sentry object from the gcc C++ standard library no longer throws exceptionsMultiple fixes in gdb on IBM PowerGDB no longer crashes when dumping core from a process that terminatesGDB can again dump memory protected by the VM_DONTDUMP flagPrograms using the CLONE_PTRACE flag on threads now run under straceexiv2 rebased to version 0.26gssproxy fixed to properly update ccachesgcc on the little-endian variant of IBM Power Systems architecture no longer creates unused stack framesSeveral bugs fixed in gssproxyThe BFD library regains the ability to convert binary addresses to source code positionsApplications using vector registers for passing arguments work againcurl now properly resets the HTTP authentication stateThe strip utility works againImporting python modules generated by f2py now works properlymailx is not encoding multi-byte subjects properlyThe --all-logs option now works as expected in sosreportPython scripts can now correctly connect to HTTPS servers through a proxy, while explicitly setting the port

CHAPTER 27. DESKTOPStylus of Dell Canvas 27 fixedllvmpipe crashes on IBM Power Systems

CHAPTER 28. FILE SYSTEMSNFS shares no longer become unresponsive after a TCP connection is closed

CHAPTER 29. HARDWARE ENABLEMENTgenwqe-tools updated for IBM Power Systems ppc64 and ppc64le architecturesHardware utility tools now correctly identify recently released hardware

CHAPTER 30. INSTALLATION AND BOOTINGThe installer no longer crashes when you select an incomplete IMSM RAID array during manual partitioningInstaller now accepts additional time zone definitions in Kickstart filesProxy configuration set up using a boot option now works correctly in AnacondaFIPS mode now supports loading files over HTTPS during installationNetwork scripts now correctly update /etc/resolv.confFiles with the .old extension are now ignored by network scriptsBridge devices no longer fail to obtain an IP addressThe rhel-dmesg service can now be disabled correctly

CHAPTER 31. KERNELkdump can now capture a vmcore with nokaslr setMPOL_PREFERRED policy now works with Transparent Huge Pages (THP) with optimal performanceA cgroups deadlock has been fixedSystem no longer becomes unresponsive when DM thin provisioning is used on top of a loop deviceKASLR now no longer causes mirroring of kernel memory to non-mirrored regionsUsers now receive message with prompt to remove white space characters in the /etc/kdump.confAn application with large .bss segment on IBM POWER Systems will no longer cause random segmentation faults

Kernel no longer consumes excessive amounts of resources to calculate loadCpuset is now able to restore the effective CPU mask after a pair of offline and online eventsAccess to /proc/[pid]/maps is now significantly fasterfadump no longer fails to restart

104104104105105105105105106106106106106106106106107107107

108108108

109109

110110110

111111111111111111112112112

113113113113113113113

113113114114114

7.5 Release Notes

8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

makedumpfile can now map page table entries correctlyAsymmetric groups are used for overlapping scheduling domainsThe KASLR no longer causes kernel to become unresponsive while booting the systemUnplugging a Wacom tablet with ExpressKeys no longer causes the operating system to rebootSetting memory.kmem.limit_in_bytes no longer causes a problem when removing that memory cgroup laterThe sha1-avx2 encryption algorithm is now re-enabledVXLAN rebased to version 4.14

CHAPTER 32. NETWORKINGNetwork operation persists when ip6mr unregisters an already unregistered deviceSending big files through VTI no longer failsL2TP with IPv6 encapsulation now works in name spaceFlushing ARP entries no longer failsUsing cls_matchall with classful queue disciplines no longer causes the kernel to crashICMP error packets are no longer lost when a user connects to a closed SCTP portSCTP now selects the right source addressDevice reference held by iptables CLUSTERIP target is now properly released on namespace deletionThe nftables configuration files are no longer publicly readableThe Ready to read events are now correctly sent to an application when SENDER_DRY_EVENTS is enabled

SCTP statistics now availableThe firewalld service daemon no longer hangs in the rmmod process

CHAPTER 33. SECURITYWhen firewalld starts, net.netfilter.nf_conntrack_max is no longer reset to default if its configuration existsTomcat can now be started using tomcat-jsvc with SELinux in enforcing modeSELinux now allows vdsm to communicate with lldpadOpenSSH servers without Privilege Separation no longer crashThe clevis luks bind command no longer fails with the DISA STIG-compliant password policyWinSCP 5.10 now works properly with OpenSSHSFTP no longer allows to create zero-length files in read-only mode

CHAPTER 34. SERVERS AND SERVICESInternal buffer locks no longer cause deadlocks in libdbWeekly log rotations are now triggered more predictablyghostscript no longer crashes while processing large PDF filesConverting large PDF files to PNG with ghostscript no longer failskrfb no longer crashes when unable to bind to an IPv6 portmod_nss properly detects the threading model in Apache to improve performanceatd no longer runs with 100% CPU utilization nor fills system logReaR now provides a more helpful error message when grub2-efi-x64-modules is missingReaR no longer fails to determine disk size during a mkrescue operationReaR no longer requires dosfsck and efibootmgr on non-UEFI systemsReaR no longer fails with NetBackup and has more reliable network configurationReaR recovery no longer fails when backup integrity checking is enabled

CHAPTER 35. STORAGEDM Multipath no longer crashes when adding a feature to an empty stringI/O operations no longer hang with RAID1

CHAPTER 36. SYSTEM AND SUBSCRIPTION MANAGEMENTYum no longer crashes in certain nss and nspr update scenarioThe fastestmirror plug-in now orders mirrors before the metadata downloadThe package-cleanup script no longer removes package dependencies of non-duplicates

114114114115115115115

116116116116116116116116117117

117117117

118118118118118118118118

119119119119119119119119119120120120120

121121121

122122122122

Table of Contents

9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

rhnsd.pid is now writable only by the ownerrhn_check now correctly reports system reboots to SatelliteThe rpm rhnlib -qi command now refers to the current upstream project websiteKernel installations using rhnsd complete successfullyrhn_check no longer modifies permissions on files in /var/cache/yum/subscription-manager reports an RPM package if its vendor contains non-UTF8 characterssubscription-manager now works with proxies that expect the Host headersubscription-manager assigns valid IPv4 addresses to network.ipv4_address even if initial DNS resolution fails

virt-who ensures that provided options fit the same virtualization typevirt-who configuration no longer resets on upgrade or reinstallvirt-who now reads the 'address' field provided by RHEVM to discover and report the correct host name

CHAPTER 37. VIRTUALIZATIONGuests no longer shut down unexpectedly during rebootGuests accessed using a serial console no longer become unresponsivevirt-v2v now warns about not converting PCI passthrough devicesWhen importing OVAs, virt-v2v now parses MAC addresses

PART III. TECHNOLOGY PREVIEWS

CHAPTER 38. GENERAL UPDATESThe systemd-importd VM and container image import and export service

CHAPTER 39. AUTHENTICATION AND INTEROPERABILITYUse of AD and LDAP sudo providersDNSSEC available as Technology Preview in IdMIdentity Management JSON-RPC API available as Technology PreviewThe Custodia secrets service provider is now availableContainerized Identity Management server available as Technology Preview

CHAPTER 40. CLUSTERINGThe pcs tool now manages bundle resources in PacemakerNew fence-agents-heuristics-ping fence agentHeuristics supported in corosync-qdevice as a Technology Preview

CHAPTER 41. DESKTOPWayland available as a Technology PreviewFractional Scaling available as a Technology Preview

CHAPTER 42. FILE SYSTEMSThe CephFS kernel client is now availableext4 and XFS file systems now support DAXpNFS block layout is now availablepNFS SCSI layout is now available for client and serverOverlayFSBtrfs file systemNew package: ima-evm-utils

CHAPTER 43. HARDWARE ENABLEMENTLSI Syncro CS HA-DAS adapterstss2 enables TPM 2.0 for IBM Power LEibmvnic Device Driver

CHAPTER 44. KERNELHeterogeneous memory management included as a Technology Preview

122122122122122123123

123123123123

124124124124124

125

126126

127127127127127128

129129129129

130130130

131131131131131131132132

133133133133

134134

7.5 Release Notes

10

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

criu rebased to version 3.5kexec as a Technology Previewkexec fast reboot as a Technology PreviewUnprivileged access to name spaces can be enabled as a Technology PreviewSCSI-MQ as a Technology Preview in the qla2xxx driverNVMe over Fibre Channel is now available as a Technology Previewperf cqm has been replaced by resctrl

CHAPTER 45. REAL-TIME KERNELThe SCHED_DEADLINE scheduler class as Technology Preview

CHAPTER 46. NETWORKINGCisco usNIC driverCisco VIC kernel driverTrusted Network ConnectSR-IOV functionality in the qlcnic driverThe libnftnl and nftables packagesThe flower classifier with off-loading support

CHAPTER 47. RED HAT ENTERPRISE LINUX SYSTEM ROLES POWERED BY ANSIBLERed Hat Enterprise Linux System Roles

CHAPTER 48. SECURITYUSBGuard enables blocking USB devices while the screen is locked as a Technology Previewpk12util can now import certificates signed with RSA-PSSSupport for certificates signed with RSA-PSS in certutil has been improvedNSS is now able to verify RSA-PSS signatures on certificatesSECCOMP can be now enabled in libreswan

CHAPTER 49. STORAGEMulti-queue I/O scheduling for SCSITargetd plug-in from the libStorageMgmt APISupport for Data Integrity Field/Data Integrity Extension (DIF/DIX)

CHAPTER 50. VIRTUALIZATIONUSB 3.0 support for KVM guestsSelect Intel network adapters now support SR-IOV as a guest on Hyper-VNo-IOMMU mode for VFIO driversvirt-v2v can now use vmx configuration files to convert VMware guestsvirt-v2v can convert Debian and Ubuntu guestsVirtio devices can now use vIOMMUvirt-v2v converts VMWare guests faster and more reliablyOpen Virtual Machine Firmware

PART IV. DEVICE DRIVERS

CHAPTER 51. NEW DRIVERSStorage DriversNetwork DriversGraphics Drivers and Miscellaneous Drivers

CHAPTER 52. UPDATED DRIVERSStorage Driver UpdatesNetwork Driver UpdatesGraphics Driver and Miscellaneous Driver Updates

134134134134134135135

137137

138138138138138138138

139139

140140140140140140

142142142142

143143143143143143143143144

145

146146146146

147147147148

Table of Contents

11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER 53. DEPRECATED FUNCTIONALITYPython 2 has been deprecatedLVM libraries and LVM Python bindings have been deprecatedMirrored mirror log has been deprecated in LVMDeprecated packages related to Identity Management and securitySupport for earlier IdM servers and for IdM replicas at domain level 0 will be limitedBug-fix only support for the nss-pam-ldapd and NIS packages in the next major release of Red HatEnterprise LinuxUse the Go Toolset instead of golangmesa-private-llvm will be replaced with llvm-privatelibdbi and libdbi-drivers have been deprecatedAnsible deprecated in the Extras channelsigntool has been deprecatedTLS compression support has been removed from nssPublic web CAs are no longer trusted for code signing by defaultSendmail has been deprecateddmraid has been deprecatedAutomatic loading of DCCP modules through socket layer is now disabled by defaultrsyslog-libdbi has been deprecatedThe inputname option of the rsyslog imudp module has been deprecatedSMBv1 is no longer installed with Microsoft Windows 10 and 2016 (updates 1709 and later)FedFS has been deprecatedBtrfs has been deprecatedtcp_wrappers deprecatednautilus-open-terminal replaced with gnome-terminal-nautilussslwrap() removed from PythonSymbols from libraries linked as dependencies no longer resolved by ldWindows guest virtual machine support limitedlibnetlink is deprecatedS3 and S4 power management states for KVM have been deprecatedThe Certificate Server plug-in udnPwdDirAuth is discontinuedRed Hat Access plug-in for IdM is discontinuedThe Ipsilon identity provider service for federated single sign-onSeveral rsyslog options deprecatedDeprecated symbols from the memkind libraryOptions of Sockets API Extensions for SCTP (RFC 6458) deprecatedManaging NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmtdconf-dbus-1 has been deprecated and dconf-editor is now delivered separatelyFreeRADIUS no longer accepts Auth-Type := SystemDeprecated Device DriversDeprecated AdaptersThe libcxgb3 library and the cxgb3 firmware package have been deprecatedSFN4XXX adapters have been deprecatedSoftware-initiated-only FCoE storage technologies have been deprecatedContainers using the libvirt-lxc tooling have been deprecated

PART V. KNOWN ISSUES

CHAPTER 54. AUTHENTICATION AND INTEROPERABILITYA crash is reported after an unsuccessful lightweight CA key retrievalOpenLDAP causes programs to fail immediately in case of incorrect configurationOpenLDAP reports failures when CACertFile or CACertDir point to an invalid locationOpenLDAP does not update TLS configuration after inconsistent changes in cn=config

149149149149149151

151151152152152152153153153153153153153153154154154154154154155155155155155155155155156156156156157159164164164165

166

167167167167167

7.5 Release Notes

12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Identity Management terminates connections unexpectedlyDirectory Server can terminate unexpectedly during shutdown

CHAPTER 55. CLUSTERINGData corruption occurs on RAID 10 reshape on top of VDO with el7 kernel.

CHAPTER 56. COMPILER AND TOOLSMemory consumption of applications using libcurl grows with each TLS connectionOProfile and perf can not sample events on 2nd generation Intel Xeon Phi processors when NMI watchdog isdisabled

CHAPTER 57. DESKTOPCannot install downloaded RPM files from NautilusCaps Lock LED statusInconsistent GNOME Shell versionsUninstall the 32-bit version of flatpakGNOME downgrade does not workWayland ignores keyboard grabs issued by X11 applications, such as virtual machines viewersSuperuser should not run graphical sessionsKeyboard not working in VM browsed by remote-viewer and virt-viewergnome-system-log does not work on WaylandGUI screen is shown incorrectlyxrandr fails to provide some video modesradeon fails to reset hardware correctlynouveau fails to load Nvidia secboot firmwareXchat status icon disappears from Top Icons panelGDM does not activate hotplugged monitorsWacom Expresskeys Remote not detected as tabletSynaptics dependency removes xorg-x11-driversT470s docking station jack does not work on resumeScreen occasionally turns off when xrandr is executedHDMI and DP for 8th generation Intel Core processors not enumerating sound inputsTray icons are non-responsive for auto-started applicationsInconsistent panel color on login screenAdditional displays are mirrored after attaching a VM guest

CHAPTER 58. INSTALLATION AND BOOTINGSelecting the Lithuanian language causes the installer to crashoscap-anaconda-addon fails to remediate when installing in TUI using KickstartThe grub2-mkimage command fails on UEFI systems by defaultKernel panic during RHEL 7.5 installation on HPE BL920s Gen9 systemsThe READONLY=yes option is not sufficient to configure a read-only system

CHAPTER 59. KERNELSecurity patches addressing Spectre and Meltdown issues can cause performance lossThe KSC does not support the xz compressionThe update of megaraid_sas can lead to a performance decreaseqedi fails to bind to the iSCSI PCIe function if qede is loadedradeon causes a kernel panicKdump kernel fails to boot after a CPU hot add or hot remove operation

CHAPTER 60. NETWORKINGVerification of signatures using the MD5 hash algorithm is disabled in Red Hat Enterprise Linux 7

CHAPTER 61. SECURITY

167167

169169

170170

170

171171171171171171171172172172172172172173173173173173173174174174174174

175175175175175175

177177177177177178178

179179

180

Table of Contents

13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

NSS accept malformed RSA PKCS#1 v1.5 signatures made with an RSA-PSS keyAuthentication using ssh-agent not from OpenSSH failsParsing of OpenSSH public keys is more strictSCAP Workbench fails to generate results-based remediations from tailored profilesClevis can log spurious Device is not initialized error messagesLibreswan is not working properly with seccomp=enabled on all configurationsOpenSCAP RPM verification rules do not work correctly with VM and container file systemsFirefox and other applications using NSS become unresponsive when a smart card is inserted

CHAPTER 62. SERVERS AND SERVICESNo clear indication of profile activation error in the Tuned servicedb_hotbackup -c should be used with cautionSetting ListenStream= options in rpcbind.socket causes systemd-logind to fail and SSH connections to be delayed

ReaR recovery process fails on non-UEFI systems with the grub2-efi-x64 package installedISO images generated by ReaR with Linux TSM fail to workUnexpected problems with the dbus rebase

CHAPTER 63. STORAGEThe kexec -e command might cause storage errors with advanced storage controllers

CHAPTER 64. VIRTUALIZATIONGuests reporting cmt, mbmt, or mbml perf events fail to boot

APPENDIX A. COMPONENT VERSIONS

APPENDIX B. LIST OF BUGZILLAS BY COMPONENT

APPENDIX C. REVISION HISTORY

180180180180180180180181

182182182

182182182182

183183

184184

185

186

198

7.5 Release Notes

14

PREFACERed Hat Enterprise Linux (RHEL) minor releases are an aggregation of individual security,enhancement, and bug fix errata. The Red Hat Enterprise Linux 7.5 Release Notes document describesthe major changes made to the Red Hat Enterprise Linux 7 operating system and its accompanyingapplications for this minor release, as well as known problems and a complete list of all currentlyavailable Technology Previews.

Capabilities and limits of Red Hat Enterprise Linux 7 as compared to other versions of the system areavailable in the Red Hat Knowledgebase article available at https://access.redhat.com/articles/rhel-limits.

Packages distributed with this release are listed in Red Hat Enterprise Linux 7 Package Manifest.Migration from Red Hat Enterprise Linux 6 is documented in the Migration Planning Guide.

For information regarding the Red Hat Enterprise Linux life cycle, refer tohttps://access.redhat.com/support/policy/updates/errata/.

PREFACE

15

https://access.redhat.com/articles/rhel-limits

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Package_Manifest/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Migration_Planning_Guide/index.html

https://access.redhat.com/support/policy/updates/errata/

CHAPTER 1. OVERVIEW

Security and Compliance

Security improvements and usability enhancements for cloud and remotely hosted systems thatcan more securely unlock Network Bound Disk Encrypted devices at boot-time. This eliminatesthe need for manual intervention during the often inconveniently-timed boot process.

The integration of Red Hat Ansible Automation with OpenSCAP, which enhances the ease ofautomating the remediation of compliance issues and enables administrators to more efficientlydeploy policies across their environment.

Compliance improvements for accurate timestamping and synchronization needs with theaddition of failover with bonding interfaces for Precision Time Protocol (PTP) and Network TimeProtocol (NTP).

See Chapter 14, Security and Chapter 7, Compiler and Tools for more information.

Performance and Efficiency

The introduction of Virtual Data Optimizer (VDO), designed to reduce data redundancy throughinline deduplication and compression of primary storage. The incorporated data reductiontechnology helps to increase storage efficiency and reduce the cost of storage.

Distributed File System (DFS) supported in Server Message Block (SMB) protocol versions 2and 3. This enables a Windows system administrator to combine multiple SMB file systems intoa single virtual file system.

For details, see Chapter 16, Storage and Chapter 9, File Systems.

Platform Manageability

Enhanced usability of the Cockpit administrator console, which is designed to simplify theinterface for managing storage, networking, containers, services, and more for individualsystems.

A new utility, boom, which provides a command-line tool and an API for improved managementof boot loader entries for LVM snapshots and images.

For details, see Chapter 17, System and Subscription Management and Chapter 16, Storage.

Identity Management and Access Control

Windows Server 2016 forest and domain functional levels are now supported for a cross-foresttrust with Identity Management.

The handling of replication conflict entries in Directory Server has been enhanced.

The OpenLDAP suite is now compiled with the OpenSSL library instead of the Mozillaimplementation of Network Security Services (Mozilla NSS).

The samba packages have been upgraded to upstream version 4.7.1. Notably, the Samba suitein Red Hat Enterprise Linux is now using the SMB protocol version 3 by default.

Multiple enhancements for the System Security Services Daemon (SSSD) have beenintroduced.

7.5 Release Notes

16

The performance and stability of the Active Directory integration solutions provided byIdentity Management have been enhanced.

For details, see Chapter 5, Authentication and Interoperability.

Support for Architectures in the New Kernel VersionRed Hat Enterprise Linux 7.5 is distributed with the kernel-alt packages, which include kernel version4.14. This kernel version provides support for the following architectures:

64-bit ARM

IBM POWER9 (little endian)

IBM z Systems

For details, see Chapter 2, Architectures.

Virtualization

KVM virtualization is now supported on IBM POWER8 systems. In addition, this updateintroduces support for KVM virtualization on the IBM POWER9 (little-endian) and IBM zSystems architectures. However, these require the use of kernel version 4.14, provided by thekernel-alt packages.

For details, see Chapter 18, Virtualization and Chapter 2, Architectures.

Red Hat InsightsSince Red Hat Enterprise Linux 7.2, the Red Hat Insights service is available. Red Hat Insights is aproactive service designed to enable you to identify, examine, and resolve known technical issues beforethey affect your deployment. Insights leverages the combined knowledge of Red Hat Support Engineers,documented solutions, and resolved issues to deliver relevant, actionable information to systemadministrators.

The service is hosted and delivered through the Customer Portal or through Red Hat Satellite. Toregister your systems, follow the Getting Started Guide for Insights.

Red Hat Customer Portal LabsRed Hat Customer Portal Labs is a set of tools in a section of the Customer Portal available athttps://access.redhat.com/labs/. The applications in Red Hat Customer Portal Labs can help youimprove performance, quickly troubleshoot issues, identify security problems, and quickly deploy andconfigure complex applications. Some of the most popular applications are:

Spectre And Meltdown Detector

Registration Assistant

Red Hat Code Browser

Kickstart Generator

Red Hat Product Certificates

Load Balancer Configuration Tool

Red Hat Network (RHN) System List Exporter

Log Reaper

CHAPTER 1. OVERVIEW

17

https://access.redhat.com/products/red-hat-insights

https://access.redhat.com/products/red-hat-insights#getstarted

https://access.redhat.com/labs/

https://access.redhat.com/labs/speculativeexecution/

https://access.redhat.com/labs/registrationassistant/

https://access.redhat.com/labs/psb/

https://access.redhat.com/labs/kickstartconfig/

https://access.redhat.com/labs/rhpc/

https://access.redhat.com/labs/lbconfig/

https://access.redhat.com/labs/rhnsle/

https://access.redhat.com/labs/logreaper/

Product Life Cycle Checker

JVM Options Configuration Tool

7.5 Release Notes

18

https://access.redhat.com/labs/plcc/

https://access.redhat.com/labs/jvmconfig/

CHAPTER 2. ARCHITECTURES

Red Hat Enterprise Linux 7.5 is available as a single kit on the following architectures: [1]

64-bit AMD

64-bit Intel

IBM POWER7+ and POWER8 (big endian) [2]

IBM POWER8 (little endian) [3]

IBM z Systems [4]

Support for Architectures in the kernel-alt PackagesRed Hat Enterprise Linux 7.5 is distributed with the kernel-alt packages, which include kernel version4.14. This kernel version provides support for the following architectures:

64-bit ARM

IBM POWER9 (little endian) [5]

IBM z Systems

The following table provides an overview of architectures supported by the two kernel versions availablein Red Hat Enterprise Linux 7.5:

Table 2.1. Architectures Supported in Red Hat Enterprise Linux 7.5

Architecture Kernel version 3.10 Kernel version 4.14

64-bit AMD and Intel yes no

64-bit ARM no yes

IBM POWER7 (big endian) yes no

IBM POWER8 (big endian) yes no

IBM POWER8 (little endian) yes no

IBM POWER9 (little endian) no yes

IBM z System yes[a] yes (Structure A)

[a] The 3.10 kernel version does not support KVM virtualization and containers on IBM z Systems. Both of these featuresare supported on the 4.14 kernel on IBM z Systems - this offerring is also referred to as Structure A.

For more information, see Chapter 19, Red Hat Enterprise Linux 7.5 for ARM and Chapter 20, Red HatEnterprise Linux 7.5 for IBM Power LE (POWER9).

CHAPTER 2. ARCHITECTURES

19

[1] Note that the Red Hat Enterprise Linux 7.5 installation is supported only on 64-bit hardware. Red HatEnterprise Linux 7.5 is able to run 32-bit operating systems, including previous versions of Red Hat EnterpriseLinux, as virtual machines.

[2] Red Hat Enterprise Linux 7.5 POWER8 (big endian) are currently supported as KVM guests on Red HatEnterprise Linux 7.5 POWER8 systems that run the KVM hypervisor.

[3] Red Hat Enterprise Linux 7.5 POWER8 (little endian) is currently supported as a KVM guest on Red HatEnterprise Linux 7.5 POWER8 systems that run the KVM hypervisor. In addition, Red Hat Enterprise Linux 7.5POWER8 (little endian) guests are supported on Red Hat Enterprise Linux 7.5 POWER9 systems that run the KVMhypervisor in POWER8-compatibility mode on version 4.14 kernel using the kernel-alt package.

[4] Red Hat Enterprise Linux 7.5 for z Systems (both the 3.10 kernel version and the 4.14 kernel version) iscurrently supported as a KVM guest on Red Hat Enterprise Linux 7.5 for z Systems hosts that run the KVM onversion 4.14 kernel using the kernel-alt package.

[5] Red Hat Enterprise Linux 7.5 POWER9 (little endian) is currently supported as a KVM guest on Red HatEnterprise Linux 7.5 POWER9 systems that run the KVM hypervisor on version 4.14 kernel using the kernel-altpackage.

7.5 Release Notes

20

CHAPTER 3. IMPORTANT CHANGES TO EXTERNAL KERNELPARAMETERSThis chapter provides system administrators with a summary of significant changes in the kernelshipped with Red Hat Enterprise Linux 7.5. These changes include added or updated proc entries, sysctl, and sysfs default values, boot parameters, kernel configuration options, or any noticeablebehavior changes.

KERNEL PARAMETERS

amd_iommu_intr = [HW,X86-64]

Specifies one of the following AMD IOMMU interrupt remapping modes.

legacy - Use legacy interrupt remapping mode.

vapic - Use virtual APIC mode, which allows IOMMU to inject interrupts directly into guest. This moderequires kvm-amd.avic=1, which is default when IOMMU HW support is present.

debug_pagealloc = [KNL]

When CONFIG_DEBUG_PAGEALLOC is set, this parameter enables the feature at boot time. It isdisabled by default. To avoid allocating huge chunk of memory for debug pagealloc do not enableit at boot time, and the operating system will work similarly as with the kernel built without CONFIG_DEBUG_PAGEALLOC.

Use debug_pagealloc = on to enable the feature.

ftrace_graph_max_depth = uint[FTRACE]

This parameter is used with the function graph tracer. It defines the maximum depth it will trace into afunction. Its value can be changed at run time by the max_graph_depth file file in the tracefstracing directory.

The default values is 0, which means that no limit is set.

init_pkru = [x86]

Specifies the default memory protection keys rights register contents for all processes.

The default value is 0x55555554, which disallows access to all but pkey 0. You can override thevalue in the debugfs file system after boot.

nopku = [x86]

Disables the Memory Protection Keys CPU feature found in some Intel CPUs.

mem_encrypt = [X86-64]

Provides AMD Secure Memory Encryption (SME) control. The valid arguments are: on, off.

The default setting depends on kernel configuration option:

on : CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y

off : CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=n

mem_encrypt=on: Activate SME

CHAPTER 3. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

21

mem_encrypt=off: Do not activate SME

KERNEL PARAMETERS TO MITIGATE SPECTRE AND MELTDOWNISSUES

kpti = [X86-64]

Enables kernel page table isolation.

nopti = [X86-64]

Disables kernel page table isolation.

nospectre_v2 = [X86]

Disables all mitigations for the Spectre variant 2 (indirect branch speculation) vulnerability. Theoperating system may allow data leaks with this option, which is equivalent to spectre_v2=off.

spectre_v2 = [X86]

Controls mitigation of Spectre variant 2 (indirect branch speculation) vulnerability.

The valid arguments are: on, off, auto.

on: unconditionally enable

off: unconditionally disable

auto: kernel detects whether your CPU model is vulnerable

Selecting on will, and auto may, choose a mitigation method at run time according to the CPU, theavailable microcode, the setting of the CONFIG_RETPOLINE configuration option, and the compilerwith which the kernel was built.

You can also select specific mitigations manually:

retpoline: replaces indirect branches

ibrs: Intel: Indirect Branch Restricted Speculation (kernel)

ibrs_always: Intel: Indirect Branch Restricted Speculation (kernel and user space)

Not specifying this option is equivalent to spectre_v2=auto.

UPDATED /PROC/SYS/NET/CORE ENTRIES

dev_weight_rx_bias

The RPS processing, for example RFS and aRFS, is competing with the registered NAPI poll functionof the driver for the per softirq cycle netdev_budget.

This parameter influences the proportion of the configured netdev_budget that is spent on RPSbased packet processing during RX softirq cycles. It also makes current dev_weight adaptable forasymmetric CPU needs on receiving on transmitting side of the network stack.

This parameter is effective on a per CPU basis. Determination is based on dev_weight, and it iscalculated in multiplicative way (dev_weight * dev_weight_rx_bias). The default value is 1.

7.5 Release Notes

22

dev_weight_tx_bias

This parameter scales the maximum number of packets that can be processed during a TX softirqcycle.

It is effective on a per CPU basis, and allows scaling of current dev_weight for asymmetric netstack processing needs. Make sure to avoid making TX softirq processing a CPU hog.

Determination is based on dev_weight, and it is calculated in multiplicative way (dev_weight *dev_weight_rx_bias). The default value is 1.

CHAPTER 3. IMPORTANT CHANGES TO EXTERNAL KERNEL PARAMETERS

23

PART I. NEW FEATURES

This part documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.5.

7.5 Release Notes

24

CHAPTER 4. GENERAL UPDATES

In-place upgrade from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7An in-place upgrade offers a way of upgrading a system to a new major release of Red Hat EnterpriseLinux by replacing the existing operating system. To perform an in-place upgrade, use the Preupgrade Assistant, a utility that checks the system for upgrade issues before running the actual upgrade, andthat also provides additional scripts for the Red Hat Upgrade Tool. When you have solved all theproblems reported by the Preupgrade Assistant, use the Red Hat Upgrade Tool to upgrade thesystem.

For details regarding procedures and supported scenarios, seehttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/chap-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Upgrading.html and https://access.redhat.com/solutions/637583.

Note that the Preupgrade Assistant and the Red Hat Upgrade Tool are available in the Red HatEnterprise Linux 6 Extras channel, see https://access.redhat.com/support/policy/updates/extras.(BZ#1432080)

The setup package now provides a way to override unpredictable environmentsettingsThe setup package now provides and sources the sh.local and csh.local files for overrides ofenvironment variables from the /etc/profile.d directory, which is sourced last. Previously, anundefined order could result in unpredictable environment settings, especially when multiple scriptschanged the same environment variable. (BZ#1344007)


25

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/chap-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Upgrading.html

https://access.redhat.com/solutions/637583

https://access.redhat.com/support/policy/updates/extras

https://bugzilla.redhat.com/show_bug.cgi?id=1344007

CHAPTER 5. AUTHENTICATION AND INTEROPERABILITY

Windows Server 2016 forest and domain functional levels now supported for trustWhen using Identity Management, you can now establish a supported forest trust to Active Directoryforests that run at the Windows Server 2016 forest and domain functional levels. (BZ#1484683)

Directory Server no longer displays replication conflict entries in search resultsPreviously, if replication conflict entries existed in a replication topology, Directory Server returned themby default as part of the search result. As a consequence, certain LDAP clients behaved incorrectly if theserver returned such entries. With this update, the server no longer returns conflict entries in a searchand you have to explicitly request them. As a result, clients work as expected.

In addition, the update improves the resolution of more complex conflict scenarios.

For further details, see https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts. (BZ#1274430)

OpenLDAP is now compiled with OpenSSL instead of NSSPreviously, the OpenLDAP suite used the Mozilla implementation of Network Security Services (MozillaNSS). With this update, OpenLDAP uses the OpenSSL library. Existing certificates in the NSS database(DB) are automatically extracted to the PEM format and passed to OpenSSL.

Note that NSS DBs continue to be supported. However, OpenSSL-like configuration, such as PEM files,is preferred over NSS-like configuration, such as NSS DB. (BZ#1400578)

Samba rebased to version 4.7.1The samba packages have been upgraded to upstream version 4.7.1, which provides a number of bugfixes and enhancements over the previous version. Notable changes include:

Previously, the default value of the rpc server dynamic port range parameter was 1024-1300. With this update, the default has been changed to 49152-65535 and nowmatches the range used in Windows Server 2008 and later. Update your firewall rules ifnecessary.

Samba now uses the Advanced Encryption Standard (AES) instruction set of Intel CPUs toaccelerate Server Message Block (SMB) 3 signing and encryption operations.

The options of the ntlm auth parameter have been extended. The parameter now accepts the ntlmv2-only (alias no), ntlmv1-permitted (alias yes), mschapv2-and-ntlmv2-only,and disabled options. Additionally, the default value was renamed from no to ntlmv2-only.

The smbclient utility no longer displays a banner with the domain, operating system, andserver version when connecting to a server.

The default value of the client max protocol parameter has been changed to SMB3_11.This enables utilities, such as smbclient, to connect to servers using the SMB 3.11 protocolwithout setting the protocol version.

For a better interoperability, Samba no longer supports using mixed minor versions in a CTDBcluster.

Samba automatically updates its tdb database files when the smbd, nmbd, or winbind daemon starts.Back up the database files before starting Samba. Note that Red Hat does not support downgrading tdbdatabase files.

7.5 Release Notes

26


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts


For further information about notable changes, read the upstream release notes before updating:

https://www.samba.org/samba/history/samba-4.7.0.html (BZ#1470048)

The SSSD LDAP provider can now automatically create user private groups forusersWhen using the System Security Services Daemon (SSSD) LDAP provider, a user group must beassigned to each user. Previously, the administrator had to create a group for each user manually. Withthis update, SSSD automatically generates a user private group from the user entry and ensures that theUID and GID match. To activate this feature, enable the auto_private_groups option in the LDAPprovider section in the /etc/sssd/sssd.conf file. (BZ#1327705)

SSSD enrolled to an AD domain remembers the discovered AD site after the firstsuccessful connectionPreviously, the System Security Services Daemon (SSSD) sent an LDAP ping to any Active Directory(AD) domain controller (DC) in order to determine a client's AD site. If the contacted DC wasunreachable, a timeout occurred, which delayed the connection for several seconds. With this update,SSSD remembers the client's site after the first successful discovery. All subsequent LDAP pings areperformed on the DC from the client's site, which helps speed up the request. (BZ#1400614)

SSSD logs changes in its status to syslogPreviously, the System Security Services Daemon (SSSD) logged information about changing its onlineor offline status to the SSSD logs only. With this update, the changes in SSSD status are logged also tothe syslog service, which improves the availability of the information to system administrators.(BZ#1416150)

SSSD performance has improvedThis update provides several performance-related enhancements for the System Security ServicesDaemon (SSSD). Most notably:

Several missing indexes have been added in the SSSD cache, which makes lookups of cachedobjects faster.

Changes to how users and groups are saved prevent the SSSD cache performance degradationthat occurred after the cache was populated with a large number of cached objects.

As a result, SSSD reads user and group objects, especially large groups, faster. Also, the SSSD cacheperformance can now remain stable even when the cache size and the number of cache objectsincrease. (BZ#1472255, BZ#1482555)

The pwdhash utility can now retrieve the storage scheme from the configurationdirectoryPreviously, if you passed the path to the configuration directory to the pwdhash, the utility used thedefault storage scheme of Directory Server to encrypt the password. With this update, the pwdhashutility uses the storage scheme set in the nsslapd-rootpwstoragescheme attribute in the cn=config entry, if you run pwdhash as a user with read permissions on the /etc/dirsrv/slapd-instance_name/dse.ldif file. As a result, you no longer have to specify the storage scheme in thementioned scenario if it differs from the Directory Server's default. (BZ#1467777)

New utility to compare two Directory Server instancesThis update adds the ds-replcheck utility to Directory Server. This utility compares the data of twoservers in online mode, or two LDIF-formatted files in offline mode. As a result, you can now verify thereplication consistency of two Directory Servers.


27

https://www.samba.org/samba/history/samba-4.7.0.html







For further details, see https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/comparing_two_directory_server_databases.(BZ#1406351)

Directory Server now supports enabling the memberOf plug-in on read-only replicasIf you previously enabled the memberOf plug-in on a read-only Directory Server replica server, the plug-in failed to update member entries. To use the plug-in in a replication topology, you could only enable iton write-enabled servers, and replicate the memberOf attribute to read-only replicas. With this update,you can now alternatively enable the plug-in on all servers. As a result, you can use the plug-in on read-only servers the same as on write-enabled server.

For further details, see https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/advanced_entry_management#considerations_when_using_the_memberof_plug-in. (BZ#1352121)

Directory Server rebased to version 1.3.7.5The 389-ds-base packages have been upgraded to upstream version 1.3.7.5, which provides a numberof bug fixes and enhancements over the previous version. For a complete list of notable changes, readthe upstream release notes before updating:

http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-7-2.html



http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-7-5.html (BZ#1470169)

Directory Server supports additional password storage schemesFor compatibility reasons, this update adds support for the following weak password storage schemes toDirectory Server:

CRYPT-MD5

CRYPT-SHA256

CRYPT-SHA512

For security reasons, use these weak storage schemes only temporary for existing installations andconsider migrating to a strong password storage schema. (BZ#1479012)

Directory Server now uses separate normalized DN caches for each worker threadPreviously, multiple worker threads used a single normalized Distinguished Name (DN) cache.Consequently, if multiple clients performed operations on Directory Server, performance decreased. Withthis update, Directory Server now creates separate normalized DN caches for each worker thread. As aresult, performance no longer decreases in the mentioned scenario. (BZ#1458536)

pki-core rebased to version 10.5.1The pki-core packages have been upgraded to upstream version 10.5.1, which provides a number ofbug fixes and enhancements over the previous version. Notably, this update addresses the requirementsfor the Common Criteria Protection Profile for Certification Authorities Version 2.1. (BZ#1473452)

Certificate System supports installing CA, KRA, and OCSP subsystems with CMCThis enhancement provides a mechanism to install CA, KRA, or OCSP subsystems with CertificateManagement over CMS (CMC). The installation will be done in two steps. The first step of the installationwill generate the Certificate Signing Requests (CSR) for the system certificates. The CSRs can be used

7.5 Release Notes

28

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/comparing_two_directory_server_databases


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/advanced_entry_management#considerations_when_using_the_memberof_plug-in










to issue the system certificates using CMC. The second step of the installation will use these systemcertificates and complete the subsystem installation. (BZ#1464549)

Certificate System supports creating instances running as a different userPreviously, Certificate System only used the systemd unit file from the /usr/lib/systemd/system/ directoryto start the service. Consequently, it was not possible to create a server running as a different user orgroup as pkiuser. The pkispawn utility has been updated. If the configuration file passed to pkispawncontains a different user or group, the utility now creates an override file with the customized values inthe /etc/systemd/system/pki-tomcatd@<instance_name>.service.d/user.conf file. As a result, runningCertificate System user a different user or group as the default is possible. (BZ#1523410)

Certificate System can now create PKCS #12 files using PBES2 with PBKDF2 keyderivationThis update enhances Certificate System and adds support for AES encryption of private keysrecovered from the Key Recovery Authority (KRA), when token-based key recovery is disabled.Specifically, when AES encryption is enabled, exported PKCS #12 files containing the recovered keyuses the PKCS #5 version 2.0 Password-Based Cryptography Specification version 2 (PBES2) withPassword-Based Key Derivation Function 2 (PBKDF2) key derivation and AES 128 encryption. UsingPBES2 with PBKDF2 makes the files created by Certificate System more secure. (BZ#1446786)

Certificate System CAs can now process CMC renewal requests signed by apreviously issued signing certificateThis update enables the Certificate Authority (CA) to process Certificate Management over CMS (CMC)renewal requests signed by a previously issued signing certificate. The implementation uses the caFullCMCUserSignedCert with the UniqueKeyConstraint enhanced profile constraint, whichhas also been updated to disallow renewal of a key shared by a revoked certificate. Additionally, itpreserves the origNotAfter attribute of the most recent certificate that shares the same key in therequest, which allows the attribute to be used by the RenewGracePeriodConstraint. If there is anexisting origNotAfter attribute, it is not overwritten in this process in order to not interfere with theexisting renewal by serial flow. Additionally, the caFullCMCUserSignedCert.cfg profile hasbeen updated to contain both the UniqueKeyConstraint and the RenewGracePeriodConstraint,which must be placed in the correct order. Note that by default, the allowSameKeyRenewal parameteris set to true in the UniqueKeyConstraint. (BZ#1419761)

Certificate System now uses the Mozilla NSS secure random number generatorWith this update, Certificate System uses a secure random number generator provided by the MozillaNetwork Security Services (NSS). This enables Red Hat Certificate System to synchronize itsDeterministic Random Bit Generator (DRBG) with Red Hat Enterprise Linux as required by the FederalInformation Processing Standard (FIPS) standard. (BZ#1452347)

Audit event changes in Certificate SystemTo provide more concise audit logs in Certificate System, the list of audit events enabled by default hasbeen updated. Additionally, certain events have been merged or renamed.

For a full list of audit events in Red Hat Certificate System, including information in which subsystemsthey are enabled by default, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/audit_events. (BZ#1445532)

krb5 now includes the kdcpolicy interfaceThis update introduces the Kerberos key distribution center (KDC) policy interface, known as kdcpolicy, to the krb5 package. Using kdcpolicy, administrators can provide a plug-in to krb5, whichenables them to control ticket lifetimes and gives them more fine-grained control on service ticketissuance.


29




https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/audit_events

For details, see the MIT Kerberos Documentation: https://web.mit.edu/kerberos/krb5-1.16/doc/plugindev/kdcpolicy.html. (BZ#1462982)

Certificate System now supports configurable hashing algorithms for the SKIextensionPreviously, Certificate System only supported the SHA1 hashing algorithm when generating the SubjectKey Identifier (SKI) certificate extension. With this update, administrators can now configure the hashingalgorithm for the SKI extension in certificate profiles.

The following algorithms are now available:

SHA1

SHA256

SHA384

SHA512

Note that the default algorithm is still SHA1. Therefore, existing profiles will not automatically be updated.(BZ#1024558)

The pki command-line interface automatically creates a default NSS databaseThe pki command-line interface requires a Network Security Services (NSS) database and its passwordto run operations over SSL connections, including basic authentication using a user name and password.Previously, pki displayed an error if the database did not exist or the database password was notspecified. The command-line interface has been updated to automatically create a default NSS databasewithout a password in the ~/.dogtag/nssdb/ directory. As a result, operations over SSL can beexecuted without specifying an NSS database or password. (BZ#1400645)

Certificate System disables weak 3DES ciphers by defaultBy default, Certificate System now disables ciphers based on the weak Triple Data Encryption Standard(3DES). This increases the security of the system. However, administrators are able to enable theseciphers again, if needed. For details, see https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers.

As a result, new Certificate System installations have only strong ciphers enabled by default.(BZ#1469169)

The Certificate System CA subsystem's OCSP provider now includes the nextUpdate field in responsesIf the Certificate Authority (CA) is configured to use the Certificate Revocation List (CRL) cache, the CAsubsystem's Online Certificate Status Protocol (OCSP) responder now includes the nextUpdate field inOCSP responses. As a result, in such scenarios, clients which conform to the Lightweight OCSP Profile(RFC 5019) are now able to process OCSP responses. (BZ#1523443)

ding-libs rebased to version 0.6.1The ding-libs packages have been upgraded to version 0.6.1. The most notable change is that ding-libscan now work with much bigger values, because the hard-coded limit to number of characters in valueshas been removed and the only limitation now is the amount of memory available. (BZ#1480270)

7.5 Release Notes

30

https://web.mit.edu/kerberos/krb5-1.16/doc/plugindev/kdcpolicy.html


https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/configuring-ciphers




CHAPTER 6. CLUSTERING

New SNMP agent to query a Pacemaker clusterThe new pcs_snmp_agent agent allows you to query a Pacemaker cluster for data by means ofSNMP. This agent provides basic information about a cluster, its nodes, and its resources. Forinformation on configuring this agent, see the pcs_snmp_agent(8) man page and the High AvailabilityAdd-On Reference. (BZ#1367808)

Support for Red Hat Enterprise Linux High Availability clusters on Amazon WebServicesRed Hat Enterprise Linux 7.5 supports High Availability clusters of virtual machines (VMs) on AmazonWeb Services (AWS). For information on configuring a Red Hat Enterprise Linux High Availability Clusteron AWS, see https://access.redhat.com/articles/3354781. (BZ#1451776)

Support for Red Hat Enterprise Linux High Availability clusters on Microsoft AzureRed Hat Enterprise Linux 7.5 supports High Availability clusters of virtual machines (VMs) in MicrosoftAzure. For information on configuring a Red Hat Enterprise Linux High Availability cluster on MicrosoftAzure, see https://access.redhat.com/articles/3252491. (BZ#1476009)

Unfencing is done in resource cleanup only if relevant parameters changedPreviously, in a cluster that included a fence device that supports unfencing, such as fence_scsi or fence_mpath, a general resource cleanup or a cleanup of any stonith resource would always result inunfencing, including a restart of all resources. Now, unfencing is only done if the parameters to thedevice that supports unfencing changed. (BZ#1427648)

The pcsd port is now configurableThe port on which pcsd is listening can now be changed in the pcsd configuration file, and pcs can nowcommunicate with pcsd using a custom port. This feature is primarily for the use of pcsd insidecontainers. (BZ#1415197)

Fencing and resource agents are now supported by AWS Python libraries and aCLI clientWith this enhancement, Amazon Web Services Python libraries (python-boto3, python-botocore, andpython-s3transfer) and a CLI client (awscli) have been added to support fencing and resource agents inhigh availability setups. (BZ#1512020)

Fencing in HA setups is now supported by Azure Python librariesWith this enhancement, Azure Python libraries (python-isodate, python-jwt, python-adal, python-msrest,python-msrestazure, and python-azure-sdk) have been added to support fencing in high availabilitysetups. (BZ#1512021)

New features added to the sbd binary.The sbd binary used as a command line tool now provides the following additional features:

Easy verification of the functionality of a watchdog device

Ability to query a list of available watchdog devices

For information on the sbd command line tool, see the sbd(8) man page. (BZ#1462002)

sbd rebased to version 1.3.1The sbd package has been rebased to upstream version 1.3.1. This version brings the followingchanges:


31

https://access.redhat.com/articles/3354781



Adds commands to test and query watchdog devices

Overhauls the command-line options and configuration file

Properly handles off actions instead of reboot (BZ#1499864)

Cluster status now shows by default when a resource action is pendingPacemaker supports a record-pending option that previously defaulted to false, meaning thatcluster status would only show the current status of a resource (started or stopped). Now, record-pending defaults to true, meaning that cluster status may also show when a resource is in the processof starting or stopping. (BZ#1461976)

clufter rebased to version 0.77.0The clufter packages have been upgraded to upstream version 0.77.0, which provides a number of bugfixes, new features, and user experience enhancements over the previous version. Among the notableupdates are the following:

When using clufter to translate an existing configuration with the pcs2pcscmd-needlecommand in the case where the corosync.conf equivalent omits the cluster_name option(which is not the case with standard `pcs`-initiated configurations), the contained pcs cluster setup invocation no longer causes cluster misconfiguration with the name of the first given nodeinterpreted as the required cluster name specification. The same invocation will now include the --encryption 0|1 switch when available, in order to reflect the original configurationaccurately.

In any script-like output sequence such as that produced with the ccs2pcscmd and pcs2pcscmd families of clufter commands, the intended shell interpreter is now emitted in avalid form, so that the respective commented line can be honored by the operating system.(BZ#1381531)

The clufter tool now also covers some additional recently added means of configuration asfacilitated with pcs (heuristics for a quorum device, meta attributes for top-level bundleresource units) when producing the sequence of configuring pcs commands to reflect existingconfigurations when applicable.

For information on the capabilities of clufter, see the clufter(1) man page or the output of the clufter -h command. For examples of clufter usage, see the following Red Hat Knowledgebasearticle: https://access.redhat.com/articles/2810031. (BZ#1509381)

Support for Sybase ASE failoverThe Red Hat High Availability Add-On now provides support for Sybase ASE failover through the ocf:heartbeat:sybaseASE resource. To display the parameters you can configure for this resource,run the pcs resource describe ocf:heartbeat:sybaseASE command. For more information onthis agent, see the ocf_heartbeat_sybaseASE(7) man page. (BZ#1436189)

7.5 Release Notes

32




CHAPTER 7. COMPILER AND TOOLS

The linuxptp package now supports active-backup bonding for clocksynchronizationWith this update, you can now specify a bond interface in the active-backup mode to be used by the ptp4l application. As a result, ptp4l uses the clock of the active interface from the bond as the Precision Time Protocol (PTP) clock and can switch to another interface of the bond in case of afailover. Additionally, the phc2sys utility in the automatic mode (the -a option) can synchronize thesystem clock to the PTP clock of the active interface when operating as a PTP slave and the PTP clock tothe system clock when operating as a PTP master. (BZ#1002657)

parted can now resize partitions using the resizepart commandThe ability to resize disk partitions using the resizepart NUMBER END command is now backported tothe parted disk partitioning utility distributed with Red Hat Enterprise Linux 7. See the parted(8) manpage for information.

Note that this command only resizes partitions, not file systems residing on them. Use file system utilitiessuch as resize2fs to grow or shrink file systems. (BZ#1423357)

binutils rebased to version 2.27The binutils package has been rebased to upstream version 2.27. This version brings the followingchanges:

Support for compressed debug sections

Improved handling of orphan sections during linking

Support for the LLVM plugin

Ability to insert new symbols into an object file with the objcopy utility

Support for the IBM POWER9 architecture

Support for the ARMv8.1 and ARMv8.2 instruction set extensions

Additionally, this update fixes the following bugs:

Previously, the binutils package did not contain the standards.info documentation file thatdescribes the GNU Coding Standard. This file has been added and is available through the infocommand again.

Previously, the ld linker on the IBM Power Systems architecture stored intermediate data in thefirst object file specified by the linker command line. As a consequence, the linker terminatedunexpectedly with a segmentation fault if that file was not used in the output and was discarded.The linker has been modified to directly store the data in the output file and skip the intermediatestorage in the input file. As a result, linking no longer fails with a segmentation fault in thedescribed situation. (BZ#1385959, BZ#1356856, BZ#1467390, BZ#1513014)

pcp rebased to version 3.12.2The Performance Co-Pilot (PCP) application has been rebased to version 3.12.2, which includes manyenhancements and bug fixes.

Collector systems updates:


33




The following Performance Metric Domain Agents (PMDAs) have been updated: perfevent,containers and CGroups, MySQL slave metrics, Linux per-process metrics, and Linux kernelmetrics for entropy, slabinfo, IPv6 sockets, and NFSD worker threads.

New PMDAs are now available: Prometheus endpoint and HAProxy.

Device Mapper statistics now expose an API.

Monitor systems updates:

The derived metrics language has been extended for all monitors.

The pmchart charting utility includes fixes for timezone and display bugs.

The pmlogconf configuration utility automatically enables the hotproc metric logging andadds atop metrics. Performance is now more optimized.

The pcp-atop monitoring utility recognizes the new --hotproc option. Several bugs havebeen fixed.

The pcp-pidstat and pcp-mpstat monitoring utilities recognize several new output options.

The pmrep reporting utility now supports Comma-separated Values (CSV) output compatiblewith the sadf tool. New utilities for exporting PCP metrics to various formats have also beenadded: pcp2zabbix, pcp2xml, pcp2json, and pcp2elasticsearch. (BZ#1472153)

Improved DWARF 5 support in various toolsSupport for the DWARF debugging format version 5 has been extended in the following tools:

The eu-readelf tool from the elfutils package now recognizes all DWARF 5 tags andattributes.

The readelf and objdump tools from the binutils package now recognize the DWARF 5 tag DW_AT_exported_symbols and correctly report its presence in debug information sections.(BZ#1472955, BZ#1472969)

systemtap rebased to version 3.2The SystemTap utility has been updated to upstream version 3.2. Notable enhancements include:

Support for extraction of matched regular expression has been added.

Probe aliases for accepting input from the standard input have been added.

Translator diagnostics have been improved.

Support for the new statx system call has been added.

A new string function strpos() for detecting substring position has been added to the staplanguage.

Additionally, this update fixes the following bugs:

Previously, the statistics extractor functions @min() and @max() returned incorrect values. As aconsequence, scripts relying on these functions did not work properly. The @min() and @max()functions have been fixed to return the correct maximum and minimum values. As a result, theaffected scripts now work as expected.

7.5 Release Notes

34




Previously, some kernel tracepoints were inconsistently listed with the stap -L command,even when they could not be probed. SystemTap has been fixed so that the listed and probe-able tracepoint sets match again.

The netdev.receive probe has been fixed and can collect data again.

The example script nettop.stp affected by the broken netdev.receive probe again worksas expected.

Note that the kernel version in Red Hat Enterprise Linux does not support extended Berkeley PacketFilter (eBPF), and consequently the related upstream SystemTap features are not available.(BZ#1473722, BZ#1490862, BZ#1506230, BZ#1485228, BZ#1518462)

valgrind rebased to version 3.13.0The valgrind package has been upgraded to version 3.13.0, which provides a number of bug fixes andenhancements over the previous version. Notable changes are:

Valgrind has been extended in several ways to run large programs. The amount of memoryusable by Valgrind has been increased to 128 GB. As a consequence, the Memcheck toolsupports running applications that allocate up to approximately 60 GB. Additionally, Valgrindcan now load executable files up to 1200 MB in size.

The tools Memcheck, Helgrind, and Massif can now use a new execution tree (xtree)representation to report heap consumption of the analyzed applications.

The symbol demangler has been updated to support the C++11 standard and the Rustprogramming language.

Failures with long blocks of code using AVX2 instructions on the Intel and AMD 64-bitarchitecture have been fixed.

The 64-bit timebase register of the PowerPC architecture is no longer modeled by Valgrindas only 32-bit.

Support for the IBM Power Systems architecture has been extended to include the ISA 3.0Bspecification.

An alternative implementation of Load-Linked and Store-Conditional instructions for the 64-bitARM architecture has been added. The alternative implementation is enabled automaticallywhen required. To enable it manually, use the --sim-hints=fallback-llsc option.(BZ#1473725, BZ#1508148)

ncat rebased to version 7.50The ncat utility, which is provided by the nmap-ncat package, has been rebased to upstream version7.50. This provides a number of bug fixes and new features over the previous version. Notable changesinclude:

Support for SOCKS5 authentication has been added.

The -z option for quickly checking the status of a port has been added.

The --no-shutdown option now also works in connect mode, not only in listen mode.(BZ#1460249)

rsync rebased to version 3.1.2


35




The rsync packages have been upgraded to upstream version 3.1.2, which provides a number of bugfixes and enhancements over the previous version.

This update introduces the following output changes:

The default output format of numbers has been changed to 3-digit groups, for example, 1,234,567.

The output of the --progress option has been changed; the following strings have beenshortened: xfer to xfr, and to-check to to-chk.

Notable enhancements in this version include:

I/O handling has been improved, which results in faster data transfers.

New --info and --debug options have been added for more fine-grained output.

The ability to synchronize nano-second modified times has been added.

New options, --usermap, --groupmap, and --chown, have been added for manipulating fileownership during the copy operation.

A new --preallocate option has been added. (BZ#1432899)

tcpdump can now analyze virtio trafficThe tcpdump utility now supports the virtio-vsock communication device. This makes it possible for tcpdump to filter and analyze virtio communication between a hypervisor and a guest virtual machine.(BZ#1464390)

Vim now supports C++11 syntax highlightingSyntax highlighting for C++ in the Vim text editor has been enhanced to support the C++11 standard.(BZ#1267826)

Vim now supports the blowfish2 encryption methodSupport for the blowfish2 encryption method has been added to the Vim text editor. This methodprovides stronger encryption than blowfish. To set the blowfish2 encryption method, use the :setlocal cm=blowfish2 command. Note that files encrypted with blowfish2 are compatiblebetween Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 6. (BZ#1319760)

The IO::Socket::SSL Perl module now uses the system-wide CA certificate storeby defaultPreviously, if a TLS application based on the IO::Socket::SSL Perl module did not provide an explicitpath to a certificate authority (CA) certificate, no authority was known, and the peer's identity could not beverified. With this update, the module uses the system-wide CA certificate store by default. However, it ispossible to disable any certificate store by passing the undef value to the SSL_ca_file option of the IO::Socket::SSL->new() constructor. (BZ#1402588)

perl-DateTime-TimeZone rebased to version 1.70The perl-DateTime-TimeZone package has been upgraded to upstream version 1.70, which provides anumber of bug fixes and enhancements over the previous version. Notably:

With this update, it is possible to install Bugzilla version 5, which requires a more recent versionof perl-DateTime-TimeZone than the system provided previously.

7.5 Release Notes

36




The Olson time zone database has been updated to version 2017b. Previously, applicationswritten in the Perl language that use the DateTime::TimeZone module mishandled timezones that changed their specifications since version 2013h due to the outdated database.

Using a local time zone from a tainted time zone identifier has been fixed. (BZ#1241818,BZ#1101251)

system-config-kdump now support selecting of either automated or manualkdump memory settings when fadump is performedThis update adds fadump memory reservation support into the system-config-kdump packages. As aresult, users can now select either Automated kdump memory settings or Manual settingswhen Firmware assisted dump is selected. (BZ#1384943)

conman rebased to version 0.2.8The conman packages have been upgraded to upstream version 0.2.8, which provides a number of bugfixes and enhancements over the previous version. Notable changes include:

Scalability has been improved.

Coverity Scan and Clang warnings have been fixed to improve stability.

Arbitrary limit on the number of Intelligent Platform Management Interface (IPMI) Serial OverLAN (SOL) consoles has been fixed.

The default value of the loopback setting has been changed to ON in the conman.conf file.(BZ#1435840)

Support for the TFTP windowsize option has been implementedWith this update, support for the windowsize option according to RFC 7440 has been implemented inthe Trivial File Transfer Protocol (TFTP) server and client. When the windowsize option is used, datablocks are sent in batches, which significantly improves throughput. (BZ#1328827)

curl now supports disabling GSSAPI with SOCKS5New --socks5-basic and --socks5-gssapi options for the curl utility and a corresponding optionCURLOPT_SOCKS5_AUTH for the libcurl library have been introduced to control the authenticationmethods for SOCKS5 proxies. (BZ#1409208)

The rsync utility now copies files with their original nanosecond part of the timestampPreviously, the rsync utility ignored the nanosecond part of the time stamp of files. As a consequence,the nanosecond time stamp of newly created files was always zero. With this update, the rsync utilityrecognizes the nanosecond part. As a result, the newly copied files keep their original nanosecond timestamp on systems that support it. (BZ#1393543)

tcpdump rebased to version 4.9.2The tcpdump package has been upgraded to upstream version 4.9.2, which provides a number of bugfixes (for almost 100 CVEs) and enhancements over the previous version. Notable changes include:

A segmentation fault with OpenSSL 1.1 has been fixed and OpenSSL usage has beenimproved.

The buffer overflow vulnerabilities have been fixed.

The infinite loop vulnerabilities have been fixed.


37






Many buffer over-read vulnerabilities have been fixed. (BZ#1490842)

OProfile support for Intel Xeon processor family extendedOProfile has been extended to support the Intel Xeon Phi™ Processor x200 and x205 ProductFamilies. (BZ#1465354)

Support for Intel Xeon v4 uncore performance events in libpfm, pcp, and papiThis update adds support for Intel Xeon v4 uncore performance events to the libpfm performancemonitoring library, the pcp tool, and the papi interface. (BZ#1474999)

Memory copying performance improved on IBM POWER architecturesPreviously, the memcpy() function from the GNU C Library ( glibc ) used unaligned vector load andstore instructions on 64-bit IBM POWER systems. Consequently, when memcpy() was used to accessdevice memory on POWER9 systems, performance would suffer. The memcpy() function has beenenhanced to use aligned memory access instructions, to provide better performance for applicationsregardless of the memory involved on POWER9, without affecting the performance on previousgenerations of the POWER architecture. (BZ#1498925)

TAI clock macro availablePreviously, the kernel provided the CLOCK_TAI clock, but the CLOCK_TAI macro to access it wasmissing in the glibc header file time.h. The macro definition has been added to the header file. As aresult, applications can now access the CLOCK_TAI kernel clock. (BZ#1448822)

Support for selective use of 4 KiB page tables on IBM z SystemsThis update adds the option --s390-pgste to the ld linker from the binutils package to markapplications for the IBM z Systems architecture that require 4 KiB memory page tables on the lowestlevel. As a result, use of this feature can be restricted only to applications that need it, allowing optimaluse of space by all applications on the system. Note that the qemu backend no longer forces 4 KiBlowest level page tables on all running applications. Make sure to specify the new option if yourapplications require them. (BZ#1485398)

More efficient glibc functions on IBM z SystemsSupport for additional instructions of the IBM z Systems architecture has been added to the glibclibrary. As a result, programs compiled for this architecture can benefit from the increased performanceof the glibc functions. (BZ#1375235)

The ld linker no longer incorrectly combines position-dependent and independentcodePreviously, the ld linker combined object files on the IBM z Systems platform without consideringwhether they have been built for Position Independent Executable (PIE). Because PIE and non-PIE codecannot be combined, it was possible to create executable files that could not run. The linker has beenextended to detect mixing of PIE and non-PIE code and produce an error message in this case. As aresult, broken executable files can no longer be created this way. (BZ#1406430)

python-virtualenv rebased to 15.1.0The python-virtualenv package has been upgraded to version 15.1.0, which provides a number of bugfixes and enhancements over the previous version. With this update, the following bundled packageshave been upgraded: setuptools to version 28.0.0 and pip to version 9.0.1. (BZ#1461154)

python-urllib3 supports IP addresses in subjectAltNameThe python-urllib3 package, a Python HTTP module with connection pooling and file POST abilities, nowsupports IP addresses in the subjectAltName (SAN) fields. (BZ#1434114)

Support for retpolines added to GCC

7.5 Release Notes

38





This update adds support for retpolines to GCC. Retpolines are a technique used by the kernel toreduce overhead of mitigating Spectre Variant 2 attacks described in CVE-2017-5715. (BZ#1535655)

Shenandoah garbage collector is now fully supportedThe low pause time Shenandoah garbage collector for OpenJDK, previously available as a TechnologyPreview, is now fully supported on the Intel 64, AMD64, and 64-bit ARM architectures. Shenandoahperforms concurrent evacuation which allows users to run with large heaps without long pause times.For more information, see https://wiki.openjdk.java.net/display/shenandoah/Main. (BZ#1578075)


39

https://wiki.openjdk.java.net/display/shenandoah/Main

CHAPTER 8. DESKTOP

GNOME Shell rebased to version 3.26In Red Hat Enterprise Linux 7.5, GNOME Shell has been rebased to upstream version 3.26. Notableenhancements include:

System search now provides results with an updated layout which makes them easier to readand shows more items at once. Additionally, it is now possible to search for system actions.

The Settings application has a new layout.

Various ways to insert emoji have been introduced for GNOME 3.26. This includes theCharacters application and Polari, the GNOME IRC client.

Display settings of GNOME have been redesigned.

GNOME 3.26 no longer shows status icons in the bottom left part of the screen. GNOMEClassic, which is the default session, now contains the TopIcons extension by default toprovide the status tray functionality. Users of other session types than GNOME Clasic can installthe TopIcons extension manually.

For the full list of changes, see https://help.gnome.org/misc/release-notes/3.26/ (BZ#1481381)

gnome-settings-daemon rebased to version 3.26gnome-settings-daemon has been rebased to enable the Wayland display server protocol, morespecifically, fractional monitor scaling. Instead of a single gnome-settings-daemon process, the user cannow notice a collection of processes named gsd-* running in their sessions. (BZ#1481410)

libreoffice rebased to version 5.3The LibreOffice office suite, has been upgraded to version 5.3, which includes a number ofenhancements over the previous version:

LibreOffice introduces a new LibreOffice UI, called MUFFIN (My User Friendly & FlexibleINterface).

The LibreOffice Writer contains a new Go to Page dialog to navigate in the text area.

The LibreOffice Writer also introduces new table styles feature.

A new Arrows toolbox has been added to LibreOffice.

In Calc, number formatting and default cell styles have been improved.

A new Template Selector was added to LibreOffice Impress

LibreOffice Base can no longer read Firebird 2.5 data. Embedded .odb files created in previousversions of LibreOffice are not compatible with this version.

For the full list of changes, see https://wiki.documentfoundation.org/ReleaseNotes/5.3 (BZ#1474303)

GIMP rebased to version 2.8.22GNU Image Manipulation Program (GIMP) version 2.8.22 includes the following significant bug fixes andenhancements:

Core:

7.5 Release Notes

40

https://help.gnome.org/misc/release-notes/3.26/



https://wiki.documentfoundation.org/ReleaseNotes/5.3


Saving to existing .xcf.bz and .xcf.gz files now truncates the files and no longer creates largefiles

Text layer created by gimp-text-fontname respects border when resized

GUI:

Drawing performance in single window mode, especially with pixmap themes, has beenimproved

On Paint Dynamics editor dialog, the y axis is now indicates Rate instead Flow

Pulsing progress bar in splash screen indicates unknown durations

Gamut warning color for LC-MS display filter has been fixed

Unbolding of bold font on edit has been fixed

Accidental renaming of wrong adjacent item is now eliminated

Plug-ins:

When importing PSD files, creating a wrong layer group structure is now eliminated

Large images or large resolution no longer cause a crash in the PDF plug-in

Parsing invalid PCX files is now stopped early and a subsequent segmentation fault is thuseliminated

The Escape key can no longer close the Python console

Filter Edge Detect/Difference of Gaussians returns empty image

When printing, the images are composed onto a white background to prevent printing a blackbox instead of a transparent image

Color vision deficiency display filters have been fixed to apply gamma correction directly

Script-Fu regex match now returns proper character indexes for Unicode characters

Script-Fu modulo for large numbers has been fixed

Updated Translations include: Basque, Brazilian Portuguese, Catalan, Chinese (PRC), Czech, Danish,Finnish, German, Greek, Hungarian, Icelandic, Italian, Kazakh, Norwegian, Polish, Portugese, Slovak,Slovenian, Scottish Gaelic and Spanish. (BZ#1210840)

Inkscape rebased to version 0.92.2The rebased Inkscape, vector graphics software, provides a number of enhancements over theprevious version, including the following:

Mesh Gradients are now supported.

Many SVG2 and CSS3 properties are now supported, for example, paint-order, mix-blend-mode. However, not all are available from the GUI.

All objects are listed in the new Object dialog box from where you can select, label, hide, andlock any object.

CHAPTER 8. DESKTOP

41

Selection sets make it possible to group objects together regardless of the document structure.

Guides can now be locked to avoid accidental movement.

Several new path effects have been added, among them Envelope/Perspective, LatticeDeformation, Mirror, and Rotate Copies.

Several extensions have been added including a seamless pattern extension. In addition, manyextensions have been updated or been given new features.

A colorblindness simulation filter was added.

The spray tool and measure tool have received several new features.

The Pencil tool can create interactive smoothing for lines.

BSplines are available for the Pen tool.

Checkerboard background can be used to more easily see object transparencies. (BZ#1480184)

webkitgtk4 rebased to version 2.16The webkitgtk4 package has been upgraded to version 2.16, which provides a number of enhancementsover the previous version. Notable enhancements include:

To reduce memory consumption, hardware acceleration is now enabled on demand.

webkitgtk4 contains a new WebKitSetting plug-in to set the hardware acceleration policy.

CSS Grid Layout is enabled by default.

Private browsing has been improved by adding a new API to create ephemeral web views.

A new API has been provided to handle website data.

Two new debugging tools are now available: memory sampler and resource usage overlay.

GTK+ font settings are now honored.

Theme rendering performance is improved when using GTK+ version 3.20 and higher.(BZ#1476707)

qt5 rebased to version 5.9.2The qt5 packages have been upgraded to upstream version 5.9.2, which provides a number of bug fixesand enhancements over the previous version. Notably, qt5 now contains:

improved performance and stability

long term support

improved C++11 support - note that Qt 5.9 now requires C++11 compliant compiler

Qt Quick Controls 2 - a new module with support for embedded devices (BZ#1479097)

New package: qgnomeplatformThe QGnomePlatform Theme module is now included in Red Hat Enterprise Linux. In GNOME DesktopEnvironment, it makes applications created with Qt 5 honor the current visual settings. (BZ#1479351)

7.5 Release Notes

42




ModemManager rebased to version 1.6.8The ModemManager package has been upgraded to upstream version 1.6.8 to support newer modemhardware. This provides a number enhancements over the previous version. Notably, the version of the libqmi library has been upgraded to 1.18.0 and the libmbim library to 1.14.2. In addition, the usb_modeswitch tool has been upgraded to 2.5.1 and the usb-modeswitch-data package to 20170806.(BZ#1483051)

New packages: libsmbiosRed Hat Enterprise Linux 7.5 now includes the libsmbios packages to support flash Trusted PlatformModule (TPM) and Synaptics Micro Systems Technology (MST) hubs. Libsmbios is a library and utilitiesthat can be used by client programs to get information from standard BIOS tables, such as the SMBIOStable. (BZ#1463329)

mutter rebased to version 3.26The mutter package has been upgraded to version 3.26, which provides a number of bug fixes andenhancements over the previous version.

The most significant bug fixes include:

Unexpected termination when respawning shortcut inhibitor dialog

Unexpected termination during monitor configuration migration

Multihead regressions in X11 session

Screen rotation regressions

Unexpected termination when reconnecting tablet device

The list of notable enhancements includes:

Support for running headless

Support for snap packages for sandboxed app IDs

Support for _NET_RESTACK_WINDOW and ConfigureRequest siblings

mutter now exports _NET_NUMBER_OF_DESKTOPS

mutter now allows resizing of tiled windows

Key bindings have been resolved with non-latin layouts

Support for export tiling information to clients

Monitor layout is now remembered across sessions (BZ#1481386)

The SANE_USB_WORKAROUND environmental variable can make older scanners usablewith USB3Previously, Scanner Access Now Easy (SANE) was unable to communicate with certain older types ofscanners when they were plugged into a USB3 port. This update introduces the SANE_USB_WORKAROUND environmental variable, which can be set to 1 to eliminate this problem.(BZ#1458903)

The libyami package added for better video stream handling

CHAPTER 8. DESKTOP

43




With this update, the libyami package has been added to Red Hat Enterprise Linux 7 to improve videostream handling. In particular, the video stream is parsed and decoded with the help of hardwareacceleration. (BZ#1456906)

netpbm rebased to version 10.79.00The netpbm packages have been upgraded to version 10.79.00, which provides a large number of bugfixes and enhancements to multiple programs included in these packages. For detailed change log, seethe /usr/share/doc/netpbm/HISTORY file. (BZ#1381122)

Red Hat Enterprise Linux 7.5 supports libvaLibva is an implementation for the Video Acceleration API (VA-API).

VA-API is an open-source library and API specification that provides access to graphics hardwareacceleration capabilities for video processing. It consists of a main library and driver-specific accelerationback ends for each supported hardware vendor. (BZ#1456903)

GStreamer now supports mp3An MPEG-2 Audio layer III decoder, more commonly known as mp3, has been added to GStreamer.The mp3 support is available through the mpeg123 library and the corresponding GStreamer plug-in.

The user can download the mp3 plug-in using GNOME Software or using the codec installer in various GStreamer applications. (BZ#1481753)

GNOME control-center rebased to version 3.26In Red Hat Enterprise Linux 7.5, control-center has been rebased to upstream version 3.26. Notableenhancements include:

Night Light is a new feature that changes the color of your displays according to the time ofday. The screen color follows the sunrise and sunset times for a given location, or can be set toa custom schedule. Night Light works with both X11 and Wayland display server protocols.

This update introduces a new layout to the Settings application. The grid of icons has beenreplaced by a sidebar, which allows switching between different areas. In addition, the Settings window is bigger and can be resized.

GNOME’s Network settings have been improved. Wi-Fi now has its own dedicated settingsarea and Network settings dialogs have been updated.

GNOME’s Display settings have been redesigned. The new design brings relevant settings tothe forefront. With multiple displays connected, there is a row of buttons, which allows choosingthe preferred use. The new Display settings include a preview version of a new scaling setting.This allows the size of what is shown on the screen to be adjusted to match the density (oftenexpressed as PPI or DPI) of your display. Note that Wayland is recommended over X11, as per-display configuration is not supported on the latter.

The user interface of three other areas of the Settings application has been redesigned: Online Accounts, Printers, and Users. (BZ#1481407)

New package: emacs-php-modeThis update adds the new emacs-php-mode package to Red Hat Enterprise Linux 7. emacs-php-modeprovides PHP mode for the Emacs text editor thus enabling better PHP editing. (BZ#1266953)

Dutch keyboard layout providedThe installation of Red Hat Enterprise Linux in Dutch now provides an additional keyboard map thatmimics the US International map used in the Windows OS. The new latn1-pre.mim keymap file

7.5 Release Notes

44



enables the user to utilize single keymap, diacritics, and thus type both in the English and Dutchlanguage with ease. (BZ#1058510)

CHAPTER 8. DESKTOP

45

CHAPTER 9. FILE SYSTEMS

SMB 2 and SMB 3 now support DFSDistributed File System (DFS), which was previously supported only with the Server Message Block(SMB) protocol version 1, is now also supported in SMB 2 and SMB 3.

With this update, you can now mount DFS shares using the SMB 2 and SMB 3 protocols. (BZ#1481303)

File system DAX now performs better when mapping a large amount of memoryPrior to this enhancement, the Direct Access (DAX) feature mapped only 4KiB entries into applicationaddress space. This had a negative performance impact on workloads that mapped large amounts ofmemory, because it increased Translation Lookaside Buffer (TLB) pressure. With this update, the kernelsupports 2MiB Page Middle Directory (PMD) faults in persistent memory mappings. This significantlyreduces TLB pressure, and file system DAX now performs better when mapping a large amount ofmemory. (BZ#1457572)

quotacheck is now faster on ext4The quotacheck utility now directly scans ext4 file system metadata instead of analyzing eachindividual file for occupied disk size. If the file system contains many files, quota initialization and quotacheck are now significantly faster. (BZ#1393849)

7.5 Release Notes

46

CHAPTER 10. HARDWARE ENABLEMENT

Broadcom 5880 smart card readers with the updated firmware are now supportedThis update includes the USB ID entries for the updated firmware version of the Broadcom 5880 smartcard readers and Red Hat Enterprise Linux is now able to properly recognize and use these readers.

Note that users with the Broadcom 5880 smart card readers using older firmware versions should updatethe firmware. See the Support section at www.dell.com for more information about the updating process.(BZ#1435668)

fwupd now supports Synaptics MST hubsRed Hat Enterprise Linux 7.5 adds a plug-in for Synaptics MST hubs to the fwupd utility. This plug-inenables you to flash firmware and query firmware information for this device. (BZ#1420913)

kernel-rt sources updatedThe kernel-rt sources have been upgraded to be based on the latest Red Hat Enterprise Linux kernelsource tree, which provides a number of bug fixes and enhancements over the previous version.(BZ#1462329)

Improved RT throttling mechanismThe current real-time throttling mechanism prevents the starvation of non-real-time tasks by CPUintensive real-time tasks. When a real-time run queue is throttled, it allows non-real-time tasks to run orif there are none, the CPU goes idle. To safely maximize CPU usage by decreasing the CPU idle time,the RT_RUNTIME_GREED scheduler feature has been implemented. When enabled, this feature checks ifnon-real-time tasks are starving before throttling the real-time task. As a result, the RT_RUNTIME_GREEDscheduler option guarantees some run time on all CPUs for the non-real-time tasks, while keeping thereal-time tasks running as much as possible. (BZ#1401061)

VMware Paravirtual RDMA DriverThis enhancement update adds VMware Paravirtual RDMA Driver to Red Hat Enterprise Linux. Thisfeature allows VMware users to deploy and use Red Hat Enterprise Linux-based VMs with PVRDMAdevices. (BZ#1454965)

opal-prd rebased to version 5.9The opal-prd daemon, which handles hardware-specific recovery processes, has been rebased toversion 5.9. This enhancement update includes the following important fixes and notable enhancements:

flush after logging to stdio in debug mode

fixes for memory leaks

fix for opal-prd command line options

fix for occ_reset call

API comment regarding nanosleep ranges

the pnor file is no longer passed while starting opal-prd

on FSP system host, pnor access interface is disabled

add support for runtime OCC load/start in ZZ

Users of opal-prd are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements. (BZ#1456536)


47



libreswan now supports NIC offloadingThis update of the libreswan packages introduces support for the network interface controller (NIC)offloading. Libreswan now automatically detects the NIC hardware offload support, and the nic-offload=auto|yes|no option has been added for manual setup of this feature. (BZ#1463062)

Trusted Computing Group TPM 2.0 System API library and management utilitiesavailableThe following packages, which handle the Trusted Computing Group's Trusted Platform Module (TPM)2.0 hardware and which were previously available as a Technology Preview, are now fully supported:

The tpm2-tss package adds the Intel implementation of the TPM 2.0 System API library. Thislibrary enables programs to interact with TPM 2.0 devices.

The tpm2-tools package adds a set of utilities for management and utilization of TPM 2.0devices from user space. (BZ#1463097, BZ#1463100)

new packages: tpm2-abrmdThis update adds the tpm2-abrmd packages to Red Hat Enterprise Linux 7. The tpm2-abrmd packagesprovide a system service that implemens the Trusted Plaform Module (TPM) 2.0 Access Broker (TAB)and Resource Manager (RM) specification from the Trusted Computing Group. (BZ#1492466)

7.5 Release Notes

48


CHAPTER 11. INSTALLATION AND BOOTING

Assigning mount points to existing block devices is now possible in KickstartinstallationsA new mount command is now available in Kickstart. This command assigns a mount point to aparticular block device with a file system, and it can also reformat it if you specify the --reformatoption.

The difference between mount and other storage-related commands like autopart, part, or logvolis that with mount you do not need to describe the entire storage configuration in the Kickstart file, youonly need to make sure that the specified block devices exist on the system. However, if you want tocreate the storage configuration instead of using an existing one, and mount the various devices, thenyou must use the other storage configuration commands.

You can not use mount with the other storage configuration commands in the same Kickstart file.(BZ#1450922)

The livemedia-creator utility now provides a sample Kickstart file for UEFIsystemsThe example Kickstart files provided with the livemedia-creator packages have been updated to support32 and 64-bit UEFI systems. The files are located in the /usr/share/lorax-version/ directory.

Note that livemedia-creator must be run on a UEFI system or virtual machine to build bootableUEFI disk images. (BZ#1458937)

New option for the network Kickstart command binding the device configurationfile to the device MAC addressYou can now use the new --bindto=mac option with the network Kickstart command to use the HWADDR parameter (the MAC address) instead of the default DEVICE in the device's ifcfg file on theinstalled system. This will bind the device configuration to the MAC instead of the device name.

Note that the new --bindto option is independent of the network --device Kickstart option. It willbe applied to the ifcfg file even if the device was specified in the Kickstart file using its name, link, or bootif. (BZ#1328576)

New options for Kickstart %packages allow configuring Yum timeout and number ofretriesThis update adds two new options for the %packages section in Kickstart files:

--timeout=X - sets the Yum timeout to X seconds. Defaults to 30.

--retries=Y - sets the number of Yum retries to Y. Defaults to 10.

Note that if you use multiple %packages sections during the installation, options set on the section whichappears last will be used for every section. If the last section has neither of these options set, every %packages section in the Kickstart file will use the default values.

These new options may help when performing a large number parallel installations from a singlepackage source at once, when package download speed is limited by disk read or network speeds. Thenew options only affect the system during installation and have no effect on Yum configuration on theinstalled system. (BZ#1448459)

The Red Hat Enterprise Linux 7 ISO image can be used to create guests virtualmachines on IBM z Systems


49





With this release, you can create a bootable Red Hat Enterprise Linux ISO file for KVM virtual machineson the IBM z Systems architecture. As a result, Red Hat Enterprise Linux guest virtual machines on IBMz Systems can boot from a boot.iso file. (BZ#1478448)

ARPUPDATE option for ifcfg-* files has been introducedThis update introduces the ARPUPDATE option for the ifcfg-* files with default value yes. Setting thevalue to no allows administrators to disable updating neighboring computers with address resolutionprotocol (ARP) information about current network interface controller (NIC). This is especially neededwhen using Linux Virtual Server (LVS) Load Balancing with Direct routing enabled. (BZ#1478419)

The --noconfig option added for the rpm -V commandWith this update, the --noconfig option has been added to the rpm -V command. This optionenables the command to list only the altered non-configuration files, which helps diagnose systemproblems. (BZ#1406611)

ifcfg-* files now allow you to specify a third DNS serverifcfg-* configuration files now support the DNS3 option. You can use this option to specify a thirdDomain Name Server (DNS) address to be used in /etc/resolv.conf, instead of the previousmaximum of two DNS servers. (BZ#1357658)

Multi-threaded xz compression in rpm-buildThis update adds multi-threaded xz compression for source and binary packages when setting the %_source_payload or %_binary_payload macros to the wLTX.xzdio pattern. In it, L representsthe compression level, which is 6 by default, and X is the number of threads to be used (may be multipledigits), for example w6T12.xzdio. To enable this feature, edit the /usr/lib/rpm/macros file ordeclare the macro within the spec file or at the command line.

As a result, compressions take less time for highly parallel builds, which is beneficial especially forcontinuous integration of large projects that are built on hardware with many cores. (BZ#1278924)

7.5 Release Notes

50




CHAPTER 12. KERNEL

Memory Protection Keys are now supported in later Intel processorsMemory Protection Keys provide a mechanism for enforcing page-based protections, but withoutrequiring modifications of the page tables when an application changes protection domains. Todetermine if your processor supports Memory Protection Keys, check for the pku flag in the /proc/cpuinfo file. Further documentation including programming examples can be found in the /usr/share/doc/kernel-doc-*/Documentation/x86/protection-keys.txt file, which isprovided by the kernel-doc package. (BZ#1272615)

EDAC support added for Pondicherry 2 memory controllersError Detection and Correction support has been added for Pondicherry 2 memory controllers used onmachines based on the Intel Atom C3000-series processors. (BZ#1273769)

MBA is now supportedMemory Bandwidth Allocation (MBA) is an extension of the existing Cache QoS Enforcement (CQE)feature found in Broadwell servers. MBA is a feature of the Intel Resource Director Technology (RDT) thatprovides control over memory bandwidth for applications. With this update, the MBA support is added.(BZ#1379551)

Swap optimizations enable fast block devices to be used as secondary memoryPreviously, the swap subsystem was not performance-critical because the performance of rotating disks,especially in terms of latency, was orders of magnitude worse than the rest of the memory managementsubsystem. With the advent of fast SSD devices, the overhead of the swap subsystem has becomesignificant. This update brings a series of performance optimizations that reduce this overhead.(BZ#1400689)

HID Wacom rebased to version 4.12The HID Wacom kernel module packages have been upgraded to upstream version 4.12, which providesa number of bug fixes and enhancements over the previous version:

The hid_wacom power supply code has been updated, fixing previously existing problems.

Support has been added for the Bluetooth-based Intuos 2 Pro pen tablet.

Bugs affecting the Intuos 2 Pro pen tablet and the Bamboo slate have been fixed. (BZ#1475409)

New livepatch functionality improves the latency and success rate of the kpatch-patch packagesWith this update, the kpatch kernel live patching infrastructure has been upgraded to use the newupstream livepatch functionality for patching the kernel. This functionality improves the schedulinglatency and success rate of the kpatch-patch hotfix packages. (BZ#1430637)

Persistent Kernel Module Upgrade (PKMU) supportedThe kmod packages provide various programs for automatic loading, unloading, and management ofkernel modules. Previously, kmod searched for the modules only in the /lib/modules/<kernel version>directory. Consequently, users needed to perform additional actions, for example, run the/usr/sbin/weak-modules script to install symlinks, to make the modules loadable. With this update, kmodhave been modified to search for the modules anywhere in the file system. As a result, users can nowinstall new modules to a separate directory, configure the kmod tools to look for modules there, and themodules will be available automatically for the new kernel. Users can also specify several directories fora kernel, or different directories for different kernels. The kernel version is specified with a regularexpression. (BZ#1361857)

CHAPTER 12. KERNEL

51

The Linux kernel now supports encrypted SMB 3 connectionsPrior to introducing this feature, the kernel only supported unencrypted connections when using theServer Message Block (SMB) protocol. This update adds encryption support for SMB 3.0 and laterprotocol versions. As a result, users can mount SMB shares using encryption, if the server provides orrequires this feature.

To mount a share using the encrypted SMB protocol, pass the seal mount option together with the vers mount option set to 3.0 or later to the mount command. For further details and an example, seethe seal parameter description in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/mounting_an_smb_share#tab.frequently_used_mount_options(BZ#1429710)

SME enabled on AMD Naples platformsWith this update, AMD Secure Memory Encryption (SME) is provided by systems based on AMD Naplesplatforms. The Advanced Encryption Standard (AES) engine has the ability to encrypt and decryptdynamic random access memory (DRAM). SME, provided by the AES engine, is intended to protectmachines against hardware-probing attacks. To activate SME, boot the system with the kernel parameter mem_encrypt=on. (BZ#1361287)

Support for the ie31200_edac driverThis enhancement adds support for the ie31200_edac driver to the consumer version of Skylake andKabi Lake CPU families. (BZ#1482253)

EDAC now supports GHESThis enhancement adds Error Detection and Correction (EDAC) support for using the Generic HardwareError Source (GHES) provided by BIOS. GHES is now used as a source for memory corrected anduncorrected errors instead of a hardware specific driver. (BZ#1451916)

CUIR enhanced scope detection is now fully supportedSupport for Control Unit Initiated Reconfiguration (CUIR) enables the Direct Access Storage Device(DASD) device driver to automatically take paths to DASDs offline for concurrent services. If other pathsto the DASD are available, the DASD stays operational.

CUIR informs the DASD device driver when the paths are available again, and the device driver attemptsto vary them back online.

In addition to the support for Linux instances running in Logical Partitioning (LPAR) mode, support forLinux instances on IBM z/VM systems has been added. (BZ#1494476)

kdump allows a vmcore collection without the root file system being mountedIn Red Hat Enterprise Linux 7.4, kdump required the root file system to be mounted although this is notalways necessary for the collection of a vmcore image file. Consequently, kdump failed to collect a vmcore file if the root device could not be mounted when the dump target was not on the root filesystem, but, for example, on a usb or on the network. With this enhancement, if the root device is notrequired for dump, it is not mounted, and a vmcore file can be collected. (BZ#1431974, BZ#1460652)

KASLR fully supported and enabled by defaultKernel address space layout randomization (KASLR), which was previously available as a TechnologyPreview, is fully supported in Red Hat Enterprise Linux 7.5 on the AMD64 and Intel 64 architectures.KASLR is a kernel feature that contains two parts, kernel text KASLR and mm KASLR. These two partswork together to enhance the security of the Linux kernel.

The physical address and virtual address of kernel text itself are randomized to a different positionseparately. The physical address of the kernel can be anywhere under 64TB, while the virtual address ofthe kernel is restricted between [0xffffffff80000000, 0xffffffffc0000000], the 1GB space.

7.5 Release Notes

52

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/mounting_an_smb_share#tab.frequently_used_mount_options


The starting address of three mm sections (the direct mapping, vmalloc, and vmemmap section) israndomized in a specific area. Previously, starting addresses of these sections were fixed values.

KASLR can thus prevent inserting and redirecting the execution of the kernel to a malicious code if thiscode relies on knowing where symbols of interest are located in the kernel address space.

KASLR code is now compiled in the Linux kernel, and it is enabled by default. If you want to disable itexplicitly, add the nokaslr kernel option to the kernel command line. (BZ#1491226)

Intel® Omni-Path Architecture (OPA) Host SoftwareIntel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.5.Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for highperformance data transfers (high bandwidth, high message rate, low latency) between compute and I/Onodes in a clustered environment.

For instructions on installing Intel® Omni-Path Architecture documentation, seehttps://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_7_5_RN_J98644.pdf. (BZ#1543995)

noreplace-paravirt has been removed from the kernel command line parametersThe noreplace-paravirt kernel command line parameter has been removed, because theparameter is no longer compatible with the patches to mitigate the Spectre and Meltdown vulnerabilities.Booting AMD64 and Intel 64 systems with noreplace-paravirt in kernel command line will causerepeated reboots of the operating system. (BZ#1538911)

The new EFI memmap implementation is now available on SGI UV2+ systemsPrior to this update, the Extensible Firmware Interface (EFI) stable runtime services mapping acrosskexec reboot (memmap) implementation was not available on Silicon Graphics International (SGI) UV2and later systems. This update adds support for EFI memmap. Additionally, this update also enables useof Secure Boot with the kdump kernel. (BZ#1102454)

Mounting pNFS shares with flexible file layout is now fully supportedFlexible file layout on pNFS clients was first introduced in Red Hat Enterprise Linux 7.2 as a TechnologyPreview. With Red Hat Enterprise Linux 7.5, it is now fully supported.

pNFS flexible file layout enables advanced features such as non-disruptive file mobility and client-sidemirroring, which provides enhanced usability in areas such as databases, big data, and virtualization.See https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/ for detailed information about pNFS flexiblefile layout. (BZ#1349668)

CHAPTER 12. KERNEL

53

https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_RHEL_7_5_RN_J98644.pdf


https://datatracker.ietf.org/doc/draft-ietf-nfsv4-flex-files/

CHAPTER 13. NETWORKING

Error handling in the output of the dhcp-script has been improvedPreviously, any error in the output of the dhcp-script was ignored. With this update the output of thescript is logged on the add, old, del, arp-add, arp-del, tftp actions. As a result, errors aredisplayed while dnsmasq is running.

Note that the lease-init action happens only at a start of Dnsmasq. With this update, only a summary ofthe output is logged and not the standard error output, which passes to the systemd service for logging.(BZ#1188259)

Network namespace isolation has been added to ipsetPreviously, ipset entries were visible and could be modified by any network namespace. This updateprovides ipset with isolation per network namespace. As a result, ipset configuration is separated foreach namespace. (BZ#1226051)

NetworkManager now supports multiple routing tables to enable source routingThis update adds a new table attribute for IPv4 and IPv6 routes which can be configured manually bythe user. For each manual static route, a routing table can be selected. As a result, configuring the tableof a route has the effect of configuring the route in that table. Additionally, the default routing table of aconnection profile can be configured via the new ipv4.route-table and ipv6.route-tablesettings for IPv4 and IPv6 respectively. These settings determine in which table the routes are placed,except manual routes that explicitly overwrite this setting. (BZ#1436531)

nftables rebased to version 0.8The nftables packages have been upgraded to version 0.8, which provides a number of bug fixes andenhancements over the previous version. Notable changes include:

New expressions: fib, numgen, quota, rt, notrack have been added.

Support hashing of any arbitrary key combination has been added.

Support to set non-byte bound packet header fields, including checksum adjustment has beenadded.

Variable reference for set element definitions and variable definitions from element commandscan now be used.

Support to flush set has been added.

Support for logging flags has been added.

Support for tc classid parser has been added.

Endianness problems with link layer address have been solved.

Parser to keep map flag around on definition has been fixed.

The time datatype now uses milliseconds, as the kernel expects. (BZ#1472261)

Persistent DHCP client behavior added to NetworkManagerWith this update, the ipv4.dhcp-timeout property can be set to either the maximum for a 32-bit integer (MAXINT32) value or to the infinity value. As a result, NetworkManager never stopstrying to get or renew a lease from a DHCP server until it is successful. (BZ#1350830)

7.5 Release Notes

54




NetworkManager exposes new properties to expose team optionsPreviously, NetworkManager applied team configuration to connections providing a JSON string to the config property, which was the only property available in the team setting. This update adds newproperties in NetworkManager matching one to one the team configuration options. As a result, theconfiguration may be provided either through a unique JSON string in the NetworkManager configproperty or assigning values to the new team properties. Any configuration change applied in config isreflected to the new team properties and vice versa. The correct configuration of team link-watchers andteam.runner is now enforced in NetworkManager. Wrong or unknown link-watcher and team.runnerconfigurations result in the full team connection being rejected.

Note that when changing the brand new runner property, all the properties related to specific runnersare reset to default. (BZ#1398925)

Packets mark is now reflected on repliesPreviously, when receiving a connection request on a closed port, an error packet was sent back to theclient. When the incoming connection was marked with some firewall rules, the generated errormessage did not have this mark because this functionality was not implemented in the kernel. With thisupdate, the generated error message has the same marking as the incoming packet that tried to initiatethe connection. (BZ#1469857)

New Socket timestamping options for NTPThis update adds the SOF_TIMESTAMPING_OPT_PKTINFO and SOF_TIMESTAMPING_OPT_TX_SWHWsocket timestamping options for hardware timestamping with bonding and other virtual interfaces in Network Time Protocol (NTP) implementations, such as chrony. (BZ#1421164)

iproute2 rebased to version 4.11.0The iproute2 package has been upgraded to upstream version 4.11.0, which provides a number of bugfixes and enhancements. Notably, the ip tool includes:

Support for JSON output to various commands has been added.

Support for more interface type attributes has been added.

Support for colored output has been added.

Support for the label, dev options and the rule objects in ip-monitor state.

Support for selectors in the ip-rule command has been added.

Additionally, notable improvements for the tc utility include:

Support for the bash-completion function for tc.

The vlan action in tc has been introduced.

The extended mode in the pedit action has been introduced.

Stream Control Transmission Protocol (SCTP) support in the csum action has been added.

For other tools:

Support for extended statistics in the lnstat tool has been added.

Support for SCTP in the nstat utility has been added. (BZ#1435647)


55


The tc-pedit action now supports offset relative to Layer 2 and Layer 4The tc-pedit action allows modification of packet data. This update adds support for specifying the offset options relative to the Layer 2, 3 and 4 headers to tc-pedit. This makes pedit headerhandling more robust and flexible. As a result, editing Ethernet header is more convenient and accessingthe Layer 4 header works independently to the Layer 3 header size. (BZ#1468280)

Features backported to iprouteA number of enhancements have been backported to the iproute package. Notable changes include:

Pipeline debug support has been added to the devlink tool via the dpipe subcommand.

Hardware offload status is now available in the tc filter, indicated by the in_hw or not_in_hwflags.

Support for IPv6 in the tc pedit action has been added.

Setting and retrieving eswitch encapsulation support has been added to the devlink tool.

Matching capabilities of the tc flower filter have been enhanced:

Support for matching on TCP flags.

Support for matching on the type-of-service (ToS) and the time-to-live (TTL) fields in the IPheader.

(BZ#1456539)

The Geneve driver rebased to version 4.12The Geneve driver has been updated to version 4.12, which provides several bug fixes andenhancements for Open vSwitch (OVS) or Open Virtual Network (OVN) deployments using Genevetunneling. (BZ#1467288)

A control switch added for VXLAN and GENEVE offloadingThis update adds a new control switch to the ethtool utility to enable or disable offloading of the VXLAN and GENEVE tunnels to network cards. This enhancement enables easier debugging of issueswith the VXLAN or GENEVE tunnels. In addition, you can resolve issues caused by offloading these typesof tunnels to network cards by using ethtool to disable the feature. (BZ#1308630)

unbound rebased to version 1.6.6The unbound packages have been rebased to upstream version 1.6.6, which provides a number of bugfixes and enhancements over the previous version. Notable changes are as follows:

DNS Query Name (QNAME) minimisation according to RFC 7816 has been implemented.

A new max-udp-size configuration option has been added; its default value is 4096.

A new DNS64 module and a new dns64-prefix option have been added.

New insecure_add and insecure_remove commands have been added to the unbound-control utility for administration of negative trust anchors.

The unbound-control utility is now capable of bulk addition and removal of local zones andlocal data. To perform these actions, use the local_zones, local_zones_remove, local_datas, and local_datas_remove commands.

7.5 Release Notes

56


The libldns is no longer a dependency of libunbound and will not be installed with it.

A new so-reuseport: option is now available for distributing queries evenly over threads onLinux.

New Resource Record types have been added: CDS, CDNSKEY, URI (according to RFC 7553), CSYNC, and OPENPGPKEY.

New local-zone types have been added: inform to log a message with a client IP and inform_deny to log a query and drop the answer to it.

Remote control over local sockets is now available; use the control-interface: /path/sock and control-use-cert: no commands.

A new ip-transparent: configuration option has been added for binding to non-local IPaddresses.

A new ip-freebind: configuration option has been added for binding to an IP address whilethe interface or address is down.

A new harden-algo-downgrade: configuration option has been added.

The following domains are now blocked by default: onion (according to RFC 7686), test, and invalid (according to RFC 6761).

A user-defined pluggable event API for the libunbound library has been added.

To set the working directory for Unbound, either use the directory: dir with the include: file statement in the unbound.conf file, which ensures that the includes are relative to thedirectory, or use the chroot command with an absolute path.

Fine-grained localzone control has been implemented with the following options: define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override.

A new outgoing-interface: netblock/64 IPv6 option has been added to use Linuxfreebind feature for every query with a random 64-bit local part.

Logging of DNS replies has been added, which is similar to query logs.

Trust anchor signaling has been implemented that uses key tag query and trustanchor.unbound CH TXT queries.

Extension mechanisms for DNS (EDNS) Client subnet has been iplemented.

ipsecmod, an opportunistic IPsec support module, has been implemented. (BZ#1251440)

DHCP now supports standard dynamic DNS updatesWith this update, the DHCP server allows updating DNS records by using a standard protocol. As aresult, DHCP supports standard dynamic DNS updates as described in RFC 2136:https://tools.ietf.org/html/rfc2136. (BZ#1394727)

DDNS now supports additional algorithmsPreviously, the dhcpd daemon supported only the HMAC-MD5 hashing algorithm which is consideredinsecure for critical applications. As a consequence, the Dynamic DNS (DDNS) updates were


57

https://tools.ietf.org/html/rfc2136


potentially insecure. This update adds support for additional algorithms: HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. (BZ#1396985)

IPTABLES_SYSCTL_LOAD_LIST now supports the sysctl.d filesThe sysctl settings in IPTABLES_SYSCTL_LOAD_LIST are reloaded by the iptables init scriptwhen the iptables service is restarted. The modified settings were previously searched only in the /etc/sysctl.conf file. This update adds support for searching these modifications in the /etc/sysctl.d/ directory as well. As a result, the user-provided files in /etc/sysctl.d/ are nowcorrectly taken into account when the iptables service is restarted. (BZ#1402021)

SCTP now supports MSG_MOREThe MSG_MORE flag is set to buffer small pieces of data until a full packet is ready for transmission oruntil a call is performed that does not specify this flag. This update adds support for MSG_MORE on theStream Control Transmission Protocol (SCTP). As a result, small data chunks can be buffered and sentas a full packet. (BZ#1409365)

MACsec rebased to version 4.13The Media Access Control Security (MACsec) driver has been upgraded to upstream version4.13, which provides a number of bug fixes and enhancements over the previous version. Notableenhancements include:

Generic Receive Offload (GRO) and Receive Packet Steering (RPS) are enabledon MACsec devices.

The MODULE_ALIAS_GENL_FAMILY module has been added. This helps tools such as wpa_supplicant to start even if the module is not loaded yet. (BZ#1467335)

Enhanced performance when using the mlx5 driver in Open vSwitchThe Open vSwitch (OVS) application enables Virtual Machines to communicate with each other and thephysical network. OVS resides in the hypervisor and switching is based on twelve tuple matching onflows. However, the OVS software-based solution is very CPU-intensive. This affects the systemperformance and prevents using the fully available bandwidth.

With this update, the mlx5 driver for Mellanox ConnectX-4, ConnectX-4 Lx, and ConnectX-5 adapterscan offload OVS. The Mellanox Accelerated Switching And Packet Processing (ASAP2) Directtechnology enables offloading OVS by handling the OVS data-plane in Mellanox ConnectX-4 and laternetwork interface cards with Mellanox Embedded Switch or eSwitch, while maintaining an unmodifiedOVS control-plane. As a result, the OVS performance is significantly higher and less CPU-intensive.

The current actions supported by ASAP2 Direct include packet parsing and matching, forward, dropalong with VLAN push/pop, or VXLAN encapsulation and decapsulation. (BZ#1456687)

The Netronome NFP Ethernet driver now supports the representor netdev featureThis update backports the representor netdev feature for the Netronome NFP Ethernet driver toRed Hat Enterprise Linux 7.5. This enhancement enables the driver:

To receive and transmit fallback traffic

To be used in Open vSwitch

To support programming flows to the NFP hardware by using the TC-Flower utility(BZ#1454745)

Support for offloading TC-Flower actions

7.5 Release Notes

58


This update adds support for offloading the TC-Flower classifier and actions related to offloading ofOpen vSwitch. This allows acceleration of Open vSwitch using Netronome SmartNICs. (BZ#1468286)

DNS stub resolver improvementsThe DNS stub resolver in the glibc package has been updated to the upstream glibc version 2.26.Notable improvements and bug fixes include:

Changes to the /etc/resolv.conf file are now automatically recognized and applied torunning programs. To restore the previous behavior, add the noreload option to the optionsline in /etc/resolv.conf. Note that depending on system configuration, the /etc/resolv.conf file might be automatically overwritten as part of the configuration of thenetworking subsystem, removing the noreload option.

The previous limit of six search domain entries is removed. You can now specify any number ofdomains with the search directive in /etc/resolv.conf. Note that additional entries mayadd significant overhead to DNS processing; consider running a local caching resolver if thenumber of entries exceeds three.

The handling of various boundary conditions in the getaddrinfo() function is fixed. Very longlines in the /etc/hosts file (including comments) no longer affect lookup results from otherlines. Unexpected terminations related to stack exhaustion on systems with certain /etc/hosts configuration no longer occur.

Previously, when the rotate option was enabled in /etc/resolv.conf, the first DNS queryof a new process was always sent to the second name server configured in the name server listin /etc/resolv.conf. This behavior has been changed, and the first DNS query nowrandomly selects a name server from the list. Subsequent queries rotate through the availablename servers, as before. (BZ#677316, BZ#1432085, BZ#1257639, BZ#1452034, BZ#1329674)


59





LUKS-encrypted removable storage devices can be now automatically unlockedusing NBDEWith this update, the clevis package and the clevis_udisks2 subpackage enable users to bind removablevolumes to a Network-Bound Disk Encryption (NBDE) policy. To automatically unlock a LUKS-encryptedremovable storage device, such as a USB drive, use the clevis luks bind and clevis luks unlock commands. (BZ#1475408)

new package: clevis-systemdThis update of the Clevis pluggable framework introduces the clevis-systemd subpackage, whichenables administrators to set automated unlocking of LUKS-encrypted non-root volumes at boot time.(BZ#1475406)

OpenSCAP can be now integrated into Ansible workflowsWith this update, the OpenSCAP scanner can generate remediation scripts in the form of AnsiblePlaybooks, either based on profiles or based on scan results. Playbooks based on SCAP Security GuideProfiles contain fixes for all rules, and playbooks based on scan results contain only fixes for rules thatfail during an evaluation. The user can also generate a playbook from a tailored Profile, or customize itdirectly by editing the values in the playbook. Tags, such as Rule ID, strategy, complexity, disruption, orreferences, used as metadata for tasks in playbooks serve to filter, which tasks to apply. (BZ#1404429)

SECCOMP_FILTER_FLAG_TSYNC enables synchronization of calling process threadsThis update introduces the SECCOMP_FILTER_FLAG_TSYNC flag. When adding a new filter, this flagsynchronizes all other threads of the calling process to the same seccomp filter tree. See the seccomp(2) man page for more information.

Note that if an application installs multiple libseccomp or seccomp-bpf filters, the seccomp() syscallshould be added to the list of allowed system calls. (BZ#1458278)

nss rebased to version 3.34The nss packages have been upgraded to upstream version 3.34, which provides a number of bug fixesand enhancements over the previous version. Notable changes include:

TLS compression is no longer supported.

The TLS server code now supports session ticket without an RSA key.

Certificates can be specified using a PKCS#11 URI.

The RSA-PSS cryptographic signature scheme is now allowed for signing and verification ofcertificate signatures. (BZ#1457789)

SSLv3 disabled in mod_sslTo improve the security of SSL/TLS connections, the default configuration of the httpd mod_sslmodule has been changed to disable support for the SSLv3 protocol, and to restrict the use of certaincryptographic cipher suites. This change will affect only fresh installations of the mod_ssl package, soexisting users should manually change the SSL configuration as required.

Any SSL clients attempting to establish connections using SSLv3, or using a cipher suite based on DESor RC4, will be denied in the new default configuration. To allow such insecure connections, modify the SSLProtocol and SSLCipherSuite directives in the /etc/httpd/conf.d/ssl.conf file.(BZ#1274890)

7.5 Release Notes

60



Libreswan now supports split-DNS configuration for IKEv2This update of the libreswan packages introduces support for split-DNS configuration for the Internet KeyExchange version 2 (IKEv2) protocol through the leftmodecfgdns= and leftcfgdomains= options.This enables the user to reconfigure a locally running DNS server with DNS forwarding for specificprivate domains. (BZ#1300763)

libreswan now supports AES-GMAC for ESPWith this update, support for Advanced Encryption Standard (AES) Galois Message Authentication Code(GMAC) within IPsec Encapsulating Security Payload (ESP) through the phase2alg=null_auth_aes_gmac option has been added to the libreswan packages. (BZ#1475434)

openssl-ibmca rebased to 1.4.0The openssl-ibmca packages have been upgraded to upstream version 1.4.0, which provides a numberof bug fixes and enhancements over the previous version:

Added Advanced Encryption Standard Galois/Counter Mode (AES-GCM) support.

Fixes for OpenSSL operating in FIPS mode incorporated. (BZ#1456516)

opencryptoki rebased to 3.7.0The opencryptoki packages have been upgraded to upstream version 3.7.0, which provides a number ofbug fixes and enhancements over the previous version:

Upgraded the license to Common Public License Version 1.0 (CPL).

Added ECDSA with SHA-2 support for Enterprise PKCS #11 (EP11) and CommonCryptographic Architecture (CCA).

Improved performance by moving from mutex locks to Transactional Memory (TM).(BZ#1456520)

atomic scan with configuration_compliance enables creating security-compliantcontainer images at build timeThe rhel7/openscap container image now provides the configuration_compliance scan type.When used as an argument for the atomic scan command, this new scan type enables users to:

scan Red Hat Enterprise Linux-based container images and containers against any profileprovided by the SCAP Security Guide (SSG)

remediate Red Hat Enterprise Linux-based container images to be compliant with any profileprovided by the SSG

generate an HTML report from a scan or a remediation.

The remediation results in a container image with an altered configuration that is added as a new layeron top of the original container image.

Note that the original container image remains unchanged and only a new layer is created on top of it.The remediation process builds a new container image that contains all the configuration improvements.The content of this layer is defined by the security policy of scanning. This also means that theremediated container image is no longer signed by Red Hat, which is expected, since it differs from theoriginal container image by containing the remediated layer. (BZ#1472499)

tang-nagios enables Nagios to monitor Tang


61



The tang-nagios subpackage provides the Nagios plugin for Tang. The plugin enables the Nagiosprogram to monitor a Tang server. The subpackage is available in the Optional channel. See the tang-nagios(1) man page for more information. (BZ#1478895)

clevis now logs privileged operationsWith this update, the clevis-udisks2 subpackage logs all attempted key recoveries to the Audit log, andthe privileged operations can be now tracked using the Linux Audit system. (BZ#1478888)

PK11_CreateManagedGenericObject() has been added to NSS to prevent memoryleaks in applicationsThe PK11_DestroyGenericObject() function does not destroy objects allocated by PK11_CreateGenericObject() properly, but some applications depend on a function for creatingobjects that persist after the use of the object. For this reason, the Network Security Services(NSS) libraries now include the PK11_CreateManagedGenericObject() function. If you createobjects with PK11_CreateManagedGenericObject(), the PK11_DestroyGenericObject()function also properly destroys underlying associated objects. Applications, such as the curl utility, cannow use PK11_CreateManagedGenericObject() to prevent memory leaks. (BZ#1395803)

OpenSSH now supports openssl-ibmca and openssl-ibmpkcs11 HSMsWith this update, the OpenSSH suite enables hardware security modules (HSM) handled by the openssl-ibmca and openssl-ibmpkcs11 packages. Prior to this, the OpenSSH seccomp filter prevented thesecards working with the OpenSSH privilege separation. The seccomp filter has been updated to allowsystem calls needed by the cryptographic cards on IBM z Systems. (BZ#1478035)

cgroup_seclabel enables fine-grained access control on cgroupsThis update introduces the cgroup_seclabel policy capability that enables users to set labels oncontrol group (cgroup) files. Prior to this addition, labeling of the cgroup file system was not possible, andto run the systemd service manager in a container, read and write permissions for any content on thecgroup file system had to be allowed. The cgroup_seclabel policy capability enables fine-grainedaccess control on the cgroup file system. (BZ#1494179)

The boot process can now unlock encrypted devices connected by networkPreviously, the boot process attempted to unlock block devices connected by network before startingnetwork services. Because the network was not activated, it was not possible to connect and decryptthese devices.

With this update, the remote-cryptsetup.target unit and other patches have been added to systemd packages. As a result, it is now possible to unlock encrypted block devices that are connectedby network during system boot and to mount file systems on such block devices.

To ensure correct ordering between services during system boot, you must mark the network devicewith the _netdev option in the /etc/crypttab configuration file.

A common use case for this feature is together with network-bound disk encryption. For moreinformation on network-bound disk encryption, see the following chapter in the Red Hat Enterprise LinuxSecurity Guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption (BZ#1384014)

SELinux now supports InfiniBand object labelingThis release introduces SELinux support for InfiniBand end port and P_Key labeling, includingenhancements to the kernel, policy, and the semanage tool. To manage InfiniBand-related labels,use the following commands:

7.5 Release Notes

62




https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_network-bound_disk_encryption


semanage ibendport

semanage ibpkey (BZ#1471809, BZ#1464484, BZ#1464478)

libica rebased to 3.2.0The libica packages have been upgraded to upstream version 3.2.0, which most notably adds support forthe Enhanced SIMD instructions set. (BZ#1376836)

SELinux now supports systemd No New PrivilegesThis update introduces the nnp_nosuid_transition policy capability that enables SELinux domaintransitions under No New Privileges (NNP) or nosuid if nnp_nosuid_transition is allowedbetween the old and new contexts. The selinux-policy packages now contain a policy for systemdservices that use the NNP security feature.

The following rule describes allowing this capability for a service:

allow source_domain target_type:process2 { nnp_transition nosuid_transition };

For example:

allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

The distribution policy now also contains the m4 macro interface, which can be used in SELinux securitypolicies for services that use the init_nnp_daemon_domain() function. (BZ#1480518)

Libreswan rebased to version 3.23The libreswan packages have been upgraded to upstream version 3.23, which provides a number of bugfixes, speed improvements, and enhancements over the previous version. Notable changes include:

Support for the extended DNS Security Extensions (DNSSEC) suite through the dnssec-enable=yes|no, dnssec-rootkey-file=, and dnssec-anchors= options.

Experimental support for Postquantum Preshared Keys (PPK) through the ppk=yes|no|insist option.

Support for Signature Authentication (RFC 7427) for RSA-SHA.

The new logip= option with the default value yes can be used to disable logging of incomingIP addresses. This is useful for large-scale service providers concerned for privacy.

Unbound DNS server ipsecmod module support for Opportunistic IPsec using IPSECKEYrecords in DNS.

Support for the Differentiated Services Code Point (DSCP) architecture through the decap-dscp=yes option. DSCP was formerly known as Terms Of Service (TOS).

Support for disabling Path MTU Discovery (PMTUD) through the nopmtudisc=yes option.

Support for the IDr (Identification - Responder) payload for improved multi-domain deployments.

Resending IKE packets on extremely busy servers that return the EAGAIN error message.

Various improvements to the updown scripts for customizations.


63




Updated preferences of crypto algorithms as per RFC 8221 and RFC 8247.

Added the %none and /dev/null values to the leftupdown= option for disabling the updownscript.

Improved support for rekeying using the CREATE_CHILD_SA exchange.

IKEv1 XAUTH thread race conditions resolved.

Significant performance increase due to optimized pthread locking.

See the ipsec.conf man page for more information. (BZ#1457904)

libreswan now supports IKEv2 MOBIKEThis update introduces support for the IKEv2 Mobility and Multihoming (MOBIKE) protocol (RFC 4555)using the XFRM_MIGRATE mechanism through the mobike=yes|no option. MOBIKE enablesseamless switching of networks, for example, Wi-Fi, LTE, and so on, without disturbing the IPsec tunnel.(BZ#1471763)

scap-workbench rebased to version 1.1.6The scap-workbench packages have been upgraded to version 1.1.6, which provides a number of bugfixes and enhancements over the previous version. Notable changes are:

Added support for generating Bash and Ansible remediation roles from profiles and for scanningresults. The generated remediations can be saved to a file for later use.

Added support for opening tailoring files directly from the command line.

Fixed a short integer overflow when using SSH port numbers higher than 32,768. (BZ#1479036)

OpenSCAP is now able to generate results for DISA STIG ViewerThe OpenSCAP suite is now able to generate results in the format compatible with the DISA STIG Viewer tool. This enables the user to scan a local system for Defense Information Systems AgencySecurity Technical Implementation Guide (DISA STIG) compliance and open results in DISA STIG Viewer. (BZ#1505517)

selinux-policy no longer contains permissive domainsAs a security hardening measure, the SELinux policy now does not set the following domains topermissive mode by default:

blkmapd_t

hsqldb_t

ipmievd_t

sanlk_resetd_t

systemd_hwdb_t

targetd_t

The default mode for these domains is now set to enforcing. (BZ#1494172)

audit rebased to version 2.8.1

7.5 Release Notes

64






The audit packages have been upgraded to upstream version 2.8.1, which provides a number of bugfixes and enhancements over the previous version. Notable changes are:

Added support for ambient capability fields.

The Audit daemon now works also on IPv6.

Added the default port to the auditd.conf file.

Fixed the auvirt tool to report Access Vector Cache (AVC) messages. (BZ#1476406)

OpenSC now supports the SCE7.0 144KDI CAC Alt. tokensThis update adds support for the SCE7.0 144KDI Common Access Card (CAC) Alternate tokens. Thesenew cards were not compliant with the previous U.S. Department of Defense (DoD) ImplementationGuide for CAC PIV End-Point specification, and the OpenSC driver has been updated to reflect theupdated specification. (BZ#1473418)


65



CHAPTER 15. SERVERS AND SERVICES

Leftover dbus processesRed Hat Enterprise Linux 7.5 adds a feature that enables users to launch dbus-using applicationsremotely, for example over SSH or over IBM Platform LSF.

However, when processes using dbus are launched remotely, dbus processes keep running even afterthe main process is closed, blocking the remote session and preventing it from terminating properly.

To work around this problem, follow the instructions at https://access.redhat.com/solutions/3257651.(BZ#1460262)

dbus rebased to version 1.10The dbus packages have been upgraded to upstream version 1.10, which provides a number of bug fixesand enhancements over the previous version. Notable changes include:

dbus-run-session is a new utility to run a dbus session bus for the runtime of a loginsession, making ssh sessions which start dbus-using applications more predictable and reliable.See man 1 dbus-run-session for more details.

Several memory and file descriptor leaks have been fixed. This improves the dbus-daemonmemory usage and reliability.

The well-known system and session bus configuration files have been moved from /etc/dbus-1/ to the /usr/share/dbus-1/ directory. While the old location can still beused, it is deprecated (specifically, session.conf and system.conf are deprecated, butsystem administrator configuration snippets under session.d and system.d are permitted).(BZ#1480264)

tuned rebased to version 2.9.0The tuned packages have been upgraded to upstream version 2.9.0, which provides a number of bugfixes and enhancements over the previous version. Notable changes include the following:

The net plug-in has been extended with the ring and pause parameters.

The concept of manually or automatically set profile has been introduced.

A directory for profile recommendation files is now supported. (BZ#1467576)

chrony rebased to version 3.2The chrony packages have been upgraded to upstream version 3.2, which provides a number of bugfixes and enhancements over the previous version. Notable enhancements include:

Support for hardware timestamping with bonding, bridging, and other logical interfaces thataggregate ethernet interfaces

Support for transmit-only hardware timestamping with network cards that can timestamp onlyreceived Precision Time Protocol (PTP) packets but not Network Time Protocol (NTP) packets

Improved stability of synchronization with hardware timestamping and interleaved modes

An improved leapsectz option to automatically set the offset of the system clock betweenInternational Atomic Time (TAI) and Coordinated Universal Time (UTC) (BZ#1482565)

SNMP page counting can be now disabled in CUPS

7.5 Release Notes

66





The simple network management protocol (SNMP) page counting currently shows incorrect informationfor certain printers. With this update, the CUPS printing system supports turning off the SNMP pagecounting, which prevents the problem. To do so, add *cupsSNMPPages: False into the printer'spostscript printer description (PPD) file.

The procedure for adding options into printer's PPD file is described in solution article athttps://access.redhat.com/solutions/1427573 . (BZ#1434153)

CUPS can be set to use only ciphers from TLS version 1.2 or laterThe CUPS printing system can now be set to use only ciphers from TLS version 1.2 or later. You canuse the functionality by adding the option SSLOptions MinTLS1.2 into the /etc/cups/client.conf file for the CUPS client or into the /etc/cups/cupsd.conf file for theCUPS daemon. (BZ#1466497)

The squid packages now provide the kerberos_ldap_group helperThis update adds the kerberos_ldap_group external Access Control Lists (ACL) helper to the squidpackages. The kerberos_ldap_group helper is a reference implementation that supports SimpleAuthentication and Security Layer (SASL) and Generic Security Services API (GSSAPI) authentication toan LDAP server, intended primarily to connect to Active Directory or OpenLDAP-based LDAP servers.(BZ#1452200)

OpenIPMI rebased to version 2.0.23The OpenIPMI packages have been upgraded to version 2.0.23, which provides a number of bug fixesand enhancements. Among others:

It adds a command to set a duty cycle of the fans directly.

It adds a way to specify the state directory from the command line after the compilation time.

It changes the message map size to 32 bits so that it can handle a full 16-message window.

It adds support for the IPMI LAN Simulator commands. See the ipmi_sim_cmd(5) man page.

It adds support for the IPMI LAN Interface configuration file. See the ipmi_lan(5) man page.(BZ#1457805)

Overview of changes from freeIPMI 1.2.9 to freeIPMI 1.5.7These are the most important changes:

- The ipmi-fru tool now supports the output of the DDR3 and DDR4 SDRAM modules and new FRUmultirecords. - The new ipmi-config tool is a consolidated configuration tool implementing all thefunctionalities that were previously in the bmc-config, ipmi-pef-config, ipmi-sensors-config,and ipmi-chassis-config tools. - The ipmi-sel tool reads and manages the IPMI System EventLog records, which makes the tool useful for debugging the system.

A complete list of changes is available after the installation in the /usr/share/doc/freeipmi/NEWSfile. (BZ#1435848)

A new clear_env option available in PHP FPM pool configurationThis update introduces a new clear_env option in PHP's FastCGI Process Manager (FPM) poolconfiguration. If the clear_env option is disabled, environment variables set when running the FPMdaemon are preserved and available to scripts. By default, clear_env is enabled, preserving currentbehavior. (BZ#1410010)


67






CHAPTER 16. STORAGE

Data Deduplication and Compression with VDORed Hat Enterprise Linux 7.5 introduces Virtual Data Optimizer (VDO). This feature enables you tocreate block devices that transparently provide data deduplication, compression, and thin provisioning.Standard file systems and applications can run on these virtual block devices without modification.

VDO is currently available only on the AMD64 and Intel 64 architectures.

For more information on VDO, see the chapter Data Deduplication and Compression with VDO in theStorage Administration Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/vdo. (BZ#1480047)

New boom utility for managing LVM snapshot and image boot entriesThis release adds the boom command, which you can use to manage additional boot loader entries onthe system. You can use it to create, delete, list, and modify auxiliary boot entries for system snapshotsand images. The utility provides a single tool for managing boot menu entries for LVM snapshots;therefore you no longer need to manually edit boot loader configuration files and work with detailedkernel parameters. The tool is provided by the lvm2-python-boom package. (BZ#1278192)

DM Multipath no longer requires reservation keys in advanceDM Multipath now supports two new configuration options in the multipath.conf file:

unpriv_sgio

prkeys_file

The reservation_key option of the defaults and multipaths sections accepts a new keyword: file. When set, the multipathd service will now use the file configured in the prkeys_file option ofthe defaults section to get the reservation key to use for the paths of a multipath device. The prkeysfile is automatically updated by the mpathpersist utility. The default for the reservation_key optionremains undefined, and default for the prkeys_file is /etc/multipath/prkeys.

If the new unpriv_sgio option is set to yes, DM Multipath will now create all new devices and theirpaths with the unpriv_sgio attribute. This option is used internally by other software, and isunnecessary for most DM Multipath users. It defaults to no.

These changes make it possible to use the mpathpersist utility without knowing ahead of time whatreservation keys will be used and without adding them to the multipath.conf configuration file. As aresult, it is now easier to use the mpathpersist utility to manage multipath persistent reservations inmultiple setups. (BZ#1452210)

New property parameter supported in blacklist and blacklist_exception sectionsof multipath.confThe multipath.conf configuration file now supports the property parameter in the blacklist and blacklist_exception sections of the file. This parameter allows users to blacklist certain types ofdevices. The property parameter takes a regular expression string that is matched against the udevenvironment variable names for the device.

The property parameter in blacklist_exception works differently than the other blacklist_exception parameters. If the parameter is set, the device must have a udev variable thatmatches. Otherwise, the device is blacklisted.

Most usefully, this parameter allows users to blacklist SCSI devices that multipath should ignore, such as

7.5 Release Notes

68

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/vdo



USB sticks and local hard drives. To allow only SCSI devices that could reasonably be multipathed, setthis parameter to (SCSI_IDENT_|ID_WWN) in the blacklist_exceptions section of the multipath.conf file. (BZ#1456955)

smartmontools now support NVMe devicesThis update adds support for Nonvolatile Memory Express (NVMe) devices, especially Solid-state Drive(SSD) disks, into the smartmontools package. As a result, the smartmontools utilities can now be usedfor monitoring NVMe disks with the Self-Monitoring, Analysis and Reporting Technology System(S.M.A.R.T.). (BZ#1369731)

Support for DIF/DIX (T10 PI) on specified hardwareSCSI T10 DIF/DIX is fully supported in Red Hat Enterprise Linux 7.5, provided that the hardware vendorhas qualified it and provides full support for the particular HBA and storage array configuration. DIF/DIXis not supported on other configurations, it is not supported for use on the boot device, and it is notsupported on virtualized guests.

At the current time, the following vendors are known to provide this support.

FUJITSU supports DIF and DIX on:

EMULEX 16G FC HBA:

EMULEX LPe16000/LPe16002, 10.2.254.0 BIOS, 10.4.255.23 FW, with:

FUJITSU ETERNUS DX100 S3, DX200 S3, DX500 S3, DX600 S3, DX8100 S3, DX8700 S3,DX8900 S3, DX200F, DX60 S3, AF250, AF650, DX60 S4, DX100 S4, DX200 S4, DX500 S4,DX600 S4, AF250 S2, AF650 S2

QLOGIC 16G FC HBA:

QLOGIC QLE2670/QLE2672, 3.28 BIOS, 8.00.00 FW, with:

FUJITSU ETERNUS DX100 S3, DX200 S3, DX500 S3, DX600 S3, DX8100 S3, DX8700 S3,DX8900 S3, DX200F, DX60 S3, AF250, AF650, DX60 S4, DX100 S4, DX200 S4, DX500 S4,DX600 S4, AF250 S2, AF650 S2

Note that T10 DIX requires database or some other software that provides generation and verification ofchecksums on disk blocks. No currently supported Linux file systems have this capability.

EMC supports DIF on:

EMULEX 8G FC HBA:

LPe12000-E and LPe12002-E with firmware 2.01a10 or later, with:

EMC VMAX3 Series with Enginuity 5977; EMC Symmetrix VMAX Series with Enginuity5876.82.57 and later

EMULEX 16G FC HBA:

LPe16000B-E and LPe16002B-E with firmware 10.0.803.25 or later, with:


QLOGIC 16G FC HBA:

CHAPTER 16. STORAGE

69


QLE2670-E-SP and QLE2672-E-SP, with:


Please refer to the hardware vendor's support information for the latest status.

Support for DIF/DIX remains in Technology Preview for other HBAs and storage arrays. (BZ#1499059)

File system Direct Access (DAX) and device DAX now support huge pagesPreviously, each file system DAX and device DAX page fault mapped to a single page in the user space.With this update, file system DAX and device DAX can now map persistent memory in larger chunks,called huge pages.

File system DAX supports huge pages that are, for example, 2 MiB in size on the AMD64 and Intel 64architectures, and device DAX supports using either 2 MiB or 1 GiB huge pages on AMD64 and Intel 64.In comparison, a standard page is 4 KiB in size on the these architectures.

When creating a DAX namespace, you can configure the page size that the namespace should use forall page faults.

Huge pages lead to fewer page faults, smaller page tables, and less Translation Lookaside Buffer (TLB)contention. As a result, file system DAX and device DAX now use less memory and perform better.(BZ#1457561, BZ#1383493)

fsadm can now grow and shrink LUKS-encrypted LVM volumesThe fsadm utility is now able to grow and shrink Logical Volume Manager (LVM) volumes that areencrypted with Linux Unified Key Setup (LUKS). This applies both to using fsadm directly with the fsadm --lvresize command and to using it indirectly through the lvresize --resizefscommand.

Note that due to technical limitations, resizing of encrypted devices with a detached header is notsupported. (BZ#1113681)

7.5 Release Notes

70



CHAPTER 17. SYSTEM AND SUBSCRIPTION MANAGEMENT

cockpit rebased to version 154The cockpit packages, which provide the Cockpit browser-based administration console, have beenupgraded to version 154. This version provides a number of bug fixes and enhancements. Notablechanges include:

The Accounts page now enables the configuration of account locking and password expiry.

Load graphs consistently ignore loopback traffic on all networks.

Cockpit provides information about unmet conditions for systemd services.

Newly created timers on the Services page are now started and enabled automatically.

It is possible to dynamically resize the terminal window to use all available space.

Various navigation and JavaScript errors with Internet Explorer have been fixed.

Cockpit uses Self-Signed Certificate Generator (SSCG) to generate SSL certificates, ifavailable.

Loading SSH keys from arbitrary paths is now supported.

Absent or invalid /etc/os-release files are now handled gracefully.

Unprivileged users now cannot use the shutdown/reboot button on the System page.

Note that certain cockpit packages are available in the Red Hat Enterprise Linux 7 Extras channel; seehttps://access.redhat.com/support/policy/updates/extras. (BZ#1470780, BZ#1425887, BZ#1493756)

Users of yum-utils now can perform actions prior to transactionsA new yum-plugin-pre-transaction-actions plug-in has been added to the yum-utilscollection. It allows users to perform actions before a transaction starts. The usage and configuration ofthe plug-in are almost identical to the existing yum-plugin-post-transaction-actions plug-in.(BZ#1470647)

yum can disable creation of per-user cache as a non-root userNew usercache option has been added to the yum.conf(5) configuration file of the yum utility. Itallows the users to disable the creation of per-user cache when yum runs as a non-root user. The reasonfor this change is that in some cases users do not want to create and populate per-user cache, forexample in cases where the space in the $TMPDIR directory is consumed by the user cache data.(BZ#1432319)

yum-builddep now allows to define RPM macrosThe yum-builddep utility has been enhanced to allow you to define RPM macros for a .spec fileparsing. This change has been made because, in some cases, RPM macros need to be defined in orderfor yum-builddep to successfully parse a .spec file. Similarly to the rpm utility, the yum-builddep toolnow allows you to specify RPM macros with the --define option. (BZ#1437636)

subscription-manager now displays the host name upon registrationUntil now, the user needed to search for the effective host name for a given system, which is determinedby different Satellite settings. With this update, the subscription-manager utility displays the hostname upon the registration of the system. (BZ#1463325)


71

https://access.redhat.com/support/policy/updates/extras





A subscription-manager plugin now runs with yum-config-managerWith this update, the subscription-manager plugin runs with the yum-config-manager utility. The yum-config-manager operations now trigger redhat.repo generation, allowing Red Hat EnterpriseLinux containers to enable or disable repositories without first running yum commands. (BZ#1329349)

subscription-manager now protects all product certificates in /etc/pki/product-default/

Previously, the subscription-manager utility only protected those product certificates provided bythe redhat-release package whose tag matched rhel-#. Consequently, product certificates such as RHEL-ALT or High Touch Beta were sometimes removed from the /etc/pki/product-default/directory by the product-id yum plugin. With this update, subscription-manager has beenmodified to protect all certificates in /etc/pki/product-default/ against automatic removal.(BZ#1526622)

rhn-migrate-classic-to-rhsm now automatically enables the subscription-managerand product-id yum pluginsWith this update, the rhn-migrate-classic-to-rhsm utility automatically enables the yum plugins: subscription-manager and product-id. With this update, the subscription-manager utilityautomatically enables the yum plugins: subscription-manager and product-id. This updatebenefits users of Red Hat Enterprise Linux who previously used the rhn-client-tools utility toregister their systems to Red Hat Network Classic or who still use it with Satellite 5 entitlement servers,and who have temporarily disabled the yum plugins. As a result, rhn-migrate-classic-to-rhsmallows an easy transition to using the newer subscription-manager tools for entitlements. Note thatrunning rhn-migrate-classic-to-rhsm displays a warning message indicating how to change thisdefault behavior if it is not desirable. (BZ#1466453)

subscription-manager now automatically enables the subscription-manager and product-id yum pluginsWith this update, the subscription-manager utility automatically enables the yum plugins: subscription-manager and product-id. This update benefits users of Red Hat Enterprise Linuxwho previously used the rhn-client-tools utility to register their systems to Red Hat Network Classicor who still use it with Satellite 5 entitlement servers, and who have temporarily disabled the yum plugins.As a result, it is easier for users to start using the newer subscription-manager tools forentitlements. Note that running subscription-manager displays a warning message indicating howto change this default behavior if it is not desirable. (BZ#1319927)

subscription-manager-cockpit replaces subscription functionality in cockpit-system

This update introduces a new subscription-manager-cockpit RPM. The new subscription-manager-cockpit RPM provides a new dbus-based implementation and a few fixes to the samesubscriptions functionality provided by cockpit-system. If both RPMs are installed, theimplementation from subscription-manager-cockpit is used. (BZ#1499977)

virt-who logs where the host-guest mapping is sentThe virt-who utility now uses the rhsm.log file to log the owner or account to which the host-guestmapping is sent. This helps proper configuration of virt-who. (BZ#1408556)

virt-who now provides configuration error informationThe virt-who utility now checks for common virt-who configuration errors and outputs log messagesthat specify the configuration items that caused these errors. As a result, it is easier for a user to correct virt-who configuration errors. (BZ#1436617)

7.5 Release Notes

72








CHAPTER 18. VIRTUALIZATION

KVM virtualization on IBM z SystemsKVM virtualization is now supported on IBM z Systems. However, this feature is only available in thenewly introduced user space based on kernel version 4.14, provided by the kernel-alt packages.

Also note that due to hardware differences, certain features and functionalities of KVM virtualization differfrom what is supported on AMD64 and Intel 64 systems.

For details on installing and using KVM virtualization on IBM z Systems, see the VirtualizationDeployment and Administration Guide. (BZ#1400070, BZ#1379517, BZ#1479525, BZ#1479526,BZ#1471761)

KVM virtualization supported on IBM POWER9With this update, KVM virtualization is supported on IBM POWER9 systems, which makes it possible touse KVM virtualization on IBM POWER9 machines. However, this feature is only available in the newlyintroduced user space based on kernel version 4.14, provided by the kernel-alt packages.

Also note that due to hardware differences, certain features and functionalities of KVM virtualization onIBM POWER9 differ from what is supported on AMD64 and Intel 64 systems.

For details on installing and using KVM virtualization on POWER9 systems, see the VirtualizationDeployment and Administration Guide. (BZ#1465503, BZ#1478482, BZ#1478478)

KVM virtualization supported on IBM POWER8With this update, KVM virtualization is supported on IBM POWER8 systems, which makes it possible touse KVM virtualization on IBM POWER8 machines.

Note that due to hardware differences, certain features and functionalities of KVM virtualization on IBMPOWER8 differ from what is supported on AMD64 and Intel 64 systems.

For details on installing and using KVM virtualization on POWER8 systems, see the VirtualizationDeployment and Administration Guide. (BZ#1531672)

NVIDIA GPU devices can now be used by multiple guests simultaneouslyThe NVIDIA vGPU feature is now supported on Red Hat Enterprise Linux 7. This enables dividing avGPU-compatible NVIDIA GPU into multiple virtual devices referred to as mediated devices. Byassigning mediated devices to guest virtual machines, these guests are able to share the performance ofa single physical GPU.

To configure this feature, manually create a mediated device for the libvirt service to be able to use it asa vGPU. For details, see the Virtualization Deployment and Administration Guide. (BZ#1292451)

KASLR for KVM guestsRed Hat Enteprise Linux 7.5 introduces the Kernel Address Space Randomization (KASLR) feature forKVM guest virtual machines. KASLR enables randomizing the physical and virtual address at which thekernel image is decompressed, and thus prevents guest security exploits based on the location of kernelobjects.

KASLR is activated by default, but can be deactivated on a specific guest by adding the nokaslr stringto the guest's kernel command line.

Note that kernel crash dumps of guests with KASLR activated cannot be analyzed using the crashutility. To fix this, add the <vmcoreinfo/> element to the <features> section of the XMLconfiguration files of your guests. However, KVM guests with <vmcoreinfo/> cannot be migrated to a


73



host system that does not support this element. This includes hosts that use Red Hat Enterprise Linux7.4 and earlier (BZ#1411490, BZ#1395248)

Parallel decompression of OVA files supportedWith this release, the pigz and pxz decompression utilities are supported by the virt-v2v utility.

These utilities speed up extraction of OVA files compressed with the gzip and xz utilities on multi-processor machines. In addition, the command-line interfaces for pigz and pxz are fully compatible withthe command-line interfaces for gzip and xz.

If pigz and pxz are installed, they are used by default. If pigz and pxz are not installed, there is nochange to the extraction behavior. (BZ#1448739)

SMAP now supported on Cannonlake guestsWith this update, the Superior Mode Access Prevention (SMAP) feature is supported on guests that usethe 7th Generation Intel Processors codenamed Cannonlake. This prevents malicious programs fromforcing the kernel to use data from a user-space program, and thus increases the security of the guests.

To verify that your host CPU can provide SMAP for your guest, use the virsh capabilitiescommand and look for the <feature name='smap'/> string. (BZ#1465223)

libvirt rebased to 3.9.0The libvirt packages have been upgraded to version 3.9.0, which provides a number of bug fixes andenhancements over the previous version. Notable changes include:

Sparse files are now preserved after moving them to or from another host.

Response limits for remote procedure calls (RPCs) have been increased.

Virtualized IBM POWER9 CPUs are now supported.

Attaching devices to running guest virtual machines, also known as device hot plug, nowsupports more device types, such as input devices.

The libvirt library has been secured against the CVE-2017-1000256 and CVE-2017-5715security issues.

VFIO-mediated devices now function more reliably. (BZ#1472263)

virt-manager rebased to 1.4.3The virt-manager packages have been upgraded to version 1.4.3, which provides a number of bug fixesand enhancements over the previous version. Notable changes include:

The virt-manager interface now displays the correct CPU models when creating a guest virtualmachine that does not use the AMD64 and Intel 64 architectures.

The default device selection has been optimized for guests using the IBM POWER, IBM zSystems, or the 64-bit ARM architectures.

If an installed network card on the host system is compatible with single root I/O virtualization(SR-IOV), it is now possible to create a virtual network that lists a pool of available virtualfunctions of the selected SR-IOV-capable card.

The selection of OS types and versions for a newly created guest has been expanded.(BZ#1472271)

7.5 Release Notes

74






virt-what rebased to version 1.18The virt-what packages have been updated to upstream version 1.18, which provides a number of bugfixes and enhancements over the previous version. Notably, the virt-what utility can now detect thefollowing guest virtual machine types:

Guests running on an 64-bit ARM host and booted using the Advanced Configuration and PowerInterfaces.

Guests running on the oVirt or Red Hat Virtualization hypervisor.

Guests running on an IBM POWER7 host that uses logical partitioning (LPAR).

Guests running on the FreeBSD bhyve hypervisor.

Guests running on an IBM z Systems host that uses the KVM hypervisor.

Guests emulated using the QEMU Tiny Code Generator (TCG).

Guests running on the OpenBSD virtual machine monitor (VMM) service.

Guests running on the Amazon Web Services (AWS) platform.

Guests running on the Oracle VM Server for SPARC platform.

In addition, the following bugs have been fixed:

The virt-what utility no longer fails on platforms that do not use the System ManagemementBIOS (SMBIOS).

virt-what now works correctly even if the $PATH variable is not set. (BZ#1476878)

tboot rebased to version 1.96The tboot packages have been upgraded to upstream version 1.96, which fixes several bugs and addsvarious enhancements. Notable changes include:

The OpenSSL library versions 1.1.0 and later are now supported for RSA key manipulation andECDSA signature verification.

Support has been added for event logs of Trusted Computing Group (TCG) trusted platformmodules (TPMs).

The x2APIC series of Advanced Programmable Interrupt Controller (APICs) is now supported.

Additional checks have been added to prevent kernel images from being overwrittenunintentionally.

The tboot utility can no longer overwrite modules while moving them.

A bug has been fixed that caused sealing and unsealing Amazon Simple Storage Service (S3)secrets to fail.

Several null pointer dereference bugs have been fixed. (BZ#1457529)

virt-v2v can convert VMware guests with snapshotsThe virt-v2v utility has been enhanced to convert VMware guest virtual machines that havesnapshots. Note that after the conversion, the status of such a guest is set to the top-most snapshot andthe other snapshots are removed. (BZ#1172425)


75



virt-rescue enhancedThis release of the virt-rescue utility includes the following enhancements:

Ctrl+character sequences now act on commands run in virt-rescue and not on virt-rescue itself.

The -i option allows users to mount all disks after inspecting the guest. (BZ#1438710)

virt-v2v now converts Linux guests encrypted with LUKSWith this update, the virt-v2v utility can convert Linux guests installed with full-disk LUKS encryption,that is when all the partitions other than the /boot partition are encrypted.

Notes:

The virt-v2v utility does not support conversion of Linux guests on partitions with other typesof encryption schemes.

The virt-p2v utility does not support conversion of Linux machines installed with full-diskLUKS encryption. (BZ#1451665)

CAT support added to libvirt on specific CPU modelsThe libvirt service now supports Cache Allocation Technology (CAT) on specific CPU models. Thisenables guest virtual machines to have part of their host's CPU cache allocated for their vCPU threads.

For details on configuring this feature, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/index.html#sect_VTOG-vCPU_cache_reservation. (BZ#1289368)

PTP device added to improve time synchronization of KVM guestsThe PTP device has been added for KVM guest virtual machines. It enhances the kvmclocks serviceby preventing clock divergence between the host and the guest due to NTP adjustment. As a result, thePTP device ensures more reliable time synchronization between the KVM host and its guests.

For details on setting up the PTP device, see the Virtualization Deployment and Administration Guide.(BZ#1379822)

7.5 Release Notes

76



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/index.html#sect_VTOG-vCPU_cache_reservation



CHAPTER 19. RED HAT ENTERPRISE LINUX 7.5 FOR ARMRed Hat Enterprise Linux 7.5 for ARM introduces Red Hat Enterprise Linux 7.5 user space with anupdated kernel, which is based on version 4.14 and is provided by the kernel-alt packages. The offeringis distributed with other updated packages but most of the packages are standard Red HatEnterprise Linux 7 Server RPMs. Installation ISO images are available on the Customer PortalDownloads page.

For information about Red Hat Enterprise Linux 7.5 user space, see the Red Hat Enterprise Linux 7documentation. For information regarding the previous version, refer to Red Hat Enterprise Linux 7.4 forARM - Release Notes.

The following packages are provided as Development Preview in this release:

libvirt (Optional channel)

qemu-kvm-ma (Optional channel)

NOTE

KVM virtualization is a Development Preview on the 64-bit ARM architecture, and thus isnot supported by Red Hat. For more information, see the Virtualization Deployment andAdministration Guide. Customers may contact Red Hat and describe their use case, whichwill be taken into consideration for a future release of Red Hat Enterprise Linux.

19.1. NEW FEATURES AND UPDATES

Core Kernel

This update introduces the qrwlock queue write lock for 64-bit ARM systems. Theimplementation of this mechanism improves performance and prevents lock starvation byensuring fair handling of multiple CPUs competing for the global task lock. This change alsoresolves a known issue, which was present in earlier releases and which caused soft lockupsunder heavy load.

Note that any kernel modules built for previous versions of Red Hat Enterprise Linux 7 for ARM(against the kernel-alt packages) must be rebuilt against the updated kernel. (BZ#1507568)

SecurityUSBGuard is now fully supported on 64-bit ARM systemsThe USBGuard software framework provides system protection against intrusive USB devices byimplementing basic whitelisting and blacklisting capabilities based on device attributes. UsingUSBGuard on 64-bit ARM systems, previously available as a Technology Preview, is now fullysupported.

19.2. KERNEL CONFIGURATION CHANGES

HARDWARE ENABLEMENT

Bluetooth (disabled)

WIRELESS (disabled)

CPU_IDLE (enabled)

CHAPTER 19. RED HAT ENTERPRISE LINUX 7.5 FOR ARM

77

https://access.redhat.com/downloads/content/419/ver=/rhel---7/7.5/aarch64/product-software

https://access.redhat.com/documentation/en/red-hat-enterprise-linux/


https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/appe-kvm_on_arm

GPIO_DWAPB (enabled)

I2C (enabled) - Designware, QUP, and XLP9XX

sensor support:

IIO drivers (disabled)

Accel sensors (disabled)

light + orientation + interrupt trigger (disabled)

Input driver

mouse, synaptics, rmi4

LED

Intel SS4200 (disabled)

Generic IRQ CHIP (enabled)

Hibernate (enabled)

Clock Source DATA (enabled)

OSS_CORE (disabled)

all SND drivers (disabled)

Networking Driver Support

Thunder2 driver (enabled)

Amazon (enabled)

Altera (disabled)

ARC (disabled)

Broadcom B44, BCMGENET, BNX2X_VLAN, CNIC (disabled)

Hisilicon (enabled)

cadence MACB (disabled)

Chelsio T3 (disabled)

Intel E1000 (disabled)

Mellanox (enabled)

myri10GE (disabled)

Qlogic - qla2xxx, netxen_nic, Qed, Qede (enabled)

Qualcomm - qcom_emac (enabled)

7.5 Release Notes

78

Broadcom - bcm7xxx (disabled)

Infiniband Support

CXBG4 (enabled)

I40IW (enabled)

MLX4 (enabled)

MLX5 (enabled)

IPOIB (enabled)

IPOIB_CM (enabled)

IPOIB_DEBUG (enabled)

ISERT (enabled)

SRP (enabled)

SRPT (enabled)

CORE KERNEL SUPPORT

Schedule Imbalance (enabled)

48 bit VA support (enabled)

tick cpu accounting (disabled)

Context Tracking (enabled)

RCU NOCB (enabled)

CGROUP-Hugetlb (enabled)

CRIU (enabled)

BPF_SYSCALL (disabled)

PERF_USE_VMALLOC (disabled)

HZ_100/HZ (enabled)

NO_HZ_IDLE (disabled)

NO_HZ_FULL (enabled)

BPF_EVENTS (disabled)

LZ4 compression (disabled)

BTREE (enabled)

CPUMASK_OFFSTACK (disabled)


79

DEBUG_INFO_DWARF4 (enabled)

SCHEDSTATS (enabled)

Striaght DEVMEM (disabled)

Transparent Hugepage (HTP) (enabled)

ZSMaLLOC_STAT, IDLE_PAGE_TRACKING(enabled)

PAGE_EXTENSION and PAGE_POISONING (disabled)

Networking Stack Support

SLIP - (enabled)

JME (disabled)

IPVLAN (disabled)

BPF_JIT (disabled)

dccp (disabled)

[ipv4] NET_FOU, Diag, CDG, NV (disabled)

[ipv6] ILA (disabled), GRE (enabled)

MAC80211 (disabled)

netfilter_conntrack (enabled)

Graphic and GPU Support

DRM_I2C_SIL64 (disabled)

TTY

serial_nonstandard, cyclades, synclinkmp, synclink_gt, N_HDLC, serial_8250_MID(enabled)

fbdev (enabled)

USB - PHY (disabled)

Storage Support

Block scsi request (enabled)

Block debugfs (enabled)

Block Multi-Queue PCI (enabled)

Block Multi-Queue VirtIO (enabled)

Block Multi-Queue IOSched_deadline (enabled)

MD Long Write -(disabled)

7.5 Release Notes

80

SCSI - ARCMSR, AM53C974, WD719x, BNX2X_FCOE, BNX2_ISCSI, ESAS2R (disabled)

SCSI - HISI_SAS (enabled)

SPI - QUP, SLP (enabled)

SSB (disabled)

File Systems

FS_DAX (enabled)

BTRFS (disabled)

Ceph (enabled)

DLM (disabled)

FSCAHE (disabled)

GFS2 (disabled)

Swap over NFS (disabled)

NFS-FSCACHE (enabled)

Virtualization and KVM Support

KVM_IRQCHIP, KVM_IRQ_ROUTING, KVM_MSI (enabled)

Virtio - noiommu (enabled)

19.3. SUPPORT IN RED HAT SATELLITE

System management of Red Hat Enterprise Linux 7.5 for ARM is supported in Red Hat Satellite 6 but notin Red Hat Satellite 5.

19.4. KNOWN ISSUES

SELinux MLS policy is not supported with kernel version 4.14SELinux Multi-Level Security (MLS) Policy denies unknown classes and permissions, and kernelversion 4.14 in the kernel-alt packages recognizes the map permission, which is not defined in anypolicy. Consequently, every command on a system with active MLS policy and SELinux in enforcingmode terminates with the Segmentation fault error. A lot of SELinux denial warnings occurs onsystems with active MLS policy and SELinux in permissive mode. The combination of SELinux MLSpolicy with kernel version 4.14 is not supported.

ipmitool communicates with BMC only when IPMI_SI=no on Cavium ThunderXWhen starting ipmi.service with the systemctl command, the default configuration attempts to loadthe ipmi_si driver. On Cavium ThunderX systems, which do not have an IPMI SI device, ipmi.service incorrectly removes the ipmi_devintf driver. Consequently, the ipmitool utility inthe kernel is not able to communicate with the Baseboard Management Controller (BMC). To workaround this problem, edit the /etc/sysconfig/ipmi file and set the IPMI_SI variable as follows:

IPMI_SI=no


81

Then reboot the operating system if necessary. As a result, the correct drivers are loaded and ipmitoocan communicate with BMC through the /dev/ipmi0/ directory. (BZ#1448181)

Putting SATA ALPM devices into low power mode does not work correctlyWhen using the following commands to enable and disable low power mode for Serial AdvancedTechnology Attachment (SATA) devices using the Aggressive Link Power Management (ALPM) powermanagement protocol on the 64-bit ARM systems, SATA does not work correctly:

tuned-adm profile powersave

tuned-adm profile performance

Consequently, SATA failures stop all disk I/O, and users have to reboot the operating system to fix it. Towork around this problem, use one of the following options:

Do not put the system into the powersave profile

Check with your hardware vendor for firmware updates that might fix the bug with ALPM

(BZ#1430391)

Setting tuned to network-latency causes system hang on ARMIf the tuned profile is set to network-latency on the 64-bit ARM systems, the operating systembecomes unresponsive, and the kernel prints a backtrace to the serial console. To work around thisproblem, do not set the tuned profile to network-latency. (BZ#1503121)

modprobe succeeds to load kernel modules with incorrect parametersWhen attempting to load a kernel module with an incorrect parameter using the modprobe command,the incorrect parameter is ignored, and the module loads as expected on Red Hat Enterprise Linux 7 forARM and for IBM Power LE (POWER9).

Note that this is a different behavior compared to Red Hat Enterprise Linux for traditional architectures,such as AMD64 and Intel 64, IBM z Systems and IBM Power Systems. On these systems, modprobeexits with an error, and the module with an incorrect parameter does not load in the described situation.

On all architectures, an error message is recorded in the dmesg output. (BZ#1449439)

19.5. BUG FIXES

The ld linker generates correct dynamic executablesPreviously, the ld linker failed to create correct dynamic executables and terminated when invoked bythe Go language compiler go on the 64-bit ARM architecture. The linker has been updated to correctlyhandle copy relocations. As a result, the linker no longer fails in the described situation. (BZ#1430743)

The ld linker generates correct dynamic relocations for constant dataPreviously, the ld linker generated an incorrect kind of dynamic relocations for constant data sharedbetween a library and executable on the 64-bit ARM architecture. As a consequence, the producedexecutable files wasted resources and terminated unexpectedly when the shared data was accessed.The linker has been updated to generate correct dynamic relocations, and the described problem nolonger occurs. (BZ#1452170)

qrwlock is now enabled for 64-bit ARM systemsThis update introduces the qrwlock queued read-write lock for 64-bit ARM systems. The

7.5 Release Notes

82


implementation of this mechanism improves performance and prevents lock starvation by ensuring fairhandling of multiple CPUs competing for the global task lock. This change also resolves a known issuetracked in Red Hat Bugzilla #1454844, which was present in earlier releases and which caused softlockups under heavy load.

Note that any kernel modules built for previous versions of Red Hat Enterprise Linux 7 for ARM (againstthe kernel-alt packages) must be rebuilt against the updated kernel.

CMA disabled by defaultOn 64-bit ARM Red Hat Enterprise Linux systems with memory limited to 1G or below, the ContiguousMemory Allocator (CMA) consumed large amount of memory, thus leaving insufficient memory for therest of the kernel. Consequently, the out-of-memory (OOM) condition sometimes occurred in the kernelor certain user-space applications, such as Shared Memory in Linux (SHM)(/dev/shm).

The CMA support in the Red Hat Enterprise Linux kernel is now disabled by default for all architectures,and CMA no longer causes OOM.(BZ#1519317)


83


CHAPTER 20. RED HAT ENTERPRISE LINUX 7.5 FOR IBMPOWER LE (POWER9)Red Hat Enterprise Linux 7.5 for IBM Power LE (POWER9) introduces Red Hat Enterprise Linux 7.5user space with an updated kernel, which is based on version 4.14 and is provided by the kernel-altpackages. The offering is distributed with other updated packages but most of it is the standard Red HatEnterprise Linux 7 Server RPMs. Installation ISO images are available on the Customer PortalDownloads page.

For information about Red Hat Enterprise Linux 7.5 installation and user space, see the Installation Guideand other Red Hat Enterprise Linux 7 documentation. For information regarding the previous version,refer to Red Hat Enterprise Linux 7.4 for IBM Power LE (POWER9) - Release Notes.

NOTE

Bare metal installations on IBM Power LE using a USB drive require you to specify the inst.stage2= boot option manually at the boot menu. See the Boot Options chapter inthe Installation Guide for detailed information.

20.1. NEW FEATURES AND UPDATES

Virtualization

KVM virtualization is now supported on IBM POWER9 systems. However, due to hardwaredifferences, certain features and functionalities differ from what is supported on AMD64 and Intel64 systems. For details, see the Virtualization Deployment and Administration Guide.

Platform Tools

OProfile now includes support for the IBM POWER9 processor. Note that the PM_RUN_INST_CMPL OProfile performance monitoring event cannot be setup and should notbe used in this version of OProfile. (BZ#1463290)

This update adds support for the IBM POWER9 performance monitoring hardware events topapi. It includes basic PAPI presets for events, such as instructions (PAPI_TOT_INS) orprocessor cycles (PAPI_TOT_CYC). (BZ#1463291)

This version of libpfm includes support for the IBM POWER9 performance monitoring hardwareevents. (BZ#1463292)

SystemTap includes backported compatibility fixes necessary for the kernel.

Previously, the memcpy() function from the GNU C Library (glibc) used unaligned vector loadand store instructions on 64-bit IBM POWER systems. Consequently, when memcpy() wasused to access device memory on POWER9 systems, performance would suffer. The memcpy() function has been enhanced to use aligned memory access instructions, to providebetter performance for applications regardless of the memory involved on POWER9, withoutaffecting the performance on previous generations of the POWER architecture. (BZ#1498925)

SecurityUSBGuard is now available as a Technology Preview on IBM Power LE (POWER9)The USBGuard software framework provides system protection against intrusive USB devices byimplementing basic whitelisting and blacklisting capabilities based on device attributes. USBGuard isnow available as a Technology Preview on IBM Power LE (POWER9).

7.5 Release Notes

84

https://access.redhat.com/downloads/content/420/ver=/rhel---7/7.5/ppc64le/product-software

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/part-installation-ibm-power

https://access.redhat.com/documentation/en/red-hat-enterprise-linux/?version=7/


https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/chap-anaconda-boot-options

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_deployment_and_administration_guide/appe-kvm_on_multiarch#appe-KVM_on_POWER

Note that USB is not supported on IBM z Systems, and the USBGuard framework cannot be provided onthose systems.

20.2. KERNEL CONFIGURATION CHANGES

HARDWARE ENABLEMENT

DEVFREQ_GOV_SIMPLE_ONDEMAND (enabled)

GPIO IRQCHIP (enabled)

HID plantronic (disabled)

I2C sensors

JC42 (disabled)

NTC thermostat (enabled)

I2C MUX (enabled)

Networking Driver Support

Broadcom B44 driver (disabled)

Brocade BNA driver (disabled)

Calxeda driver(disabled)

IBM ethernet driver [ehea] (disabled)

Intel E1000 driver (disabled)

Mellanox driver [mlxsw] (disabled)

Netronoma driver [NFP] (disabled)

Qlogic [qla3xxx] driver (disabled)

SFC falcon driver (disabled)

Wireless (disabled)

WLAN (disabled)

Ath driver (disabled)

Ath10k driver (disabled)

Ath 9k driver (disabled)

Ath wil6210 (disabled)

Broadcom WLAN (disabled)

Broadcom brcm80211 (disabled)

CHAPTER 20. RED HAT ENTERPRISE LINUX 7.5 FOR IBM POWER LE (POWER9)

85

Intel WLAN (disabled)

Intel iwlegacy (disabled)

Intel iwlwifi (disabled)

Marvell driver (disabled)

Marvell mwiflex (disabled)

Ralink WLAN driver (disabled)

Ralink rt2x00 driver (disabled)

Realtek driver (disabled)

Realtek rt1818x driver (disabled)

Realtek rtiwifi driver (disabled)

NVME driver + target driver (enabled)

ptp 1588 driver (disabled)

s390 HMC driver (disabled)

RTL8192e driver (disabled)

RTL8712u driver (disabled)

Serial UARTLITE driver (enabled)

USB LED trigger USBPORT (disabled)

USBIP driver (disabled)

Power Mgt Deubg + Adv Debug + Sleep Debug (enabled)

CORE KERNEL SUPPORT

Sched Imbalance patchset (enabled)

OPTprobes, kprobe on ftrace (enabled)

64bit Aligned Access (disabled)

Arch Soft Dirty (enabled)

Arch MMAP Rnd Compat (disabled)

SWIOTLB (disabled)

Crypto: akcipher, rsa (enabled)

Compression:

Kernel gzip support (enabled)

7.5 Release Notes

86

Kernel XZ support (enabled)

Locking: Mutex spin on owner (enabled in debugging kernel)

Function Tracer (enabled)

Dynamic Ftrace (enabled)

Ftrace mcount record (enabled)

Common kernel Libaries

Rational (enabled)

Btree (enabled)

libfdt (enabled)

parman (disabled)

MM

NO_BOOTMEM (enabled)

MOVABLE NODE (enabled)

HMM (Hetrogenous Memory Management) (enabled)

HMM Mirrored (enabled)

Coherent Device Memory (CDM) (enabled)

Zone Device (enabled)

IMA (enabled)

YAMA (disabled)

Networking Stack Support

Compact Netlink Msg (disabled)

BPF_JIT (enabled)

DCCP (disabled)

CCIDS (disabled)

IPv6 NF target NPT (disabled)

Mac80211 (disabled)

Desktop, Graphic, and GPU Support

DRM_DP_AUX_CHARDEV (enabled)

STK1160 video usb driver (disabled)


87

V412 BUF2_DMA_SG (enabled)

Storage Support

DAX (disabled)

NVDIMM + PFN + DAX (enabled)

SCSI

3Ware 9xxx driver (disabled)

3Ware sAS driver (disabled)

ARCMSR driver (disabled)

AIC79xx driver (disabled)

Broadcom Bnx2x driver (enabled)

Broadcom Bnx2 driver (disabled)

QED driver (disabled)

QEDI driver (disabled)

File Systems

BTRFS (disabled)

DLM (disabled)

GFS2 DLM locking support (disabled)

Virtualization and KVM Support

vhost [vsock] (disabled)

VMWare vsock (disabled)

20.3. SUPPORT IN RED HAT SATELLITE

System management of Red Hat Enterprise Linux 7.5 for IBM POWER LE (POWER9) is supported inRed Hat Satellite 6 but not in Red Hat Satellite 5.

20.4. KNOWN ISSUES

SELinux MLS policy is not supported with kernel version 4.14SELinux Multi-Level Security (MLS) Policy denies unknown classes and permissions, and kernelversion 4.14 in the kernel-alt packages recognizes the map permission, which is not defined in anypolicy. Consequently, every command on a system with active MLS policy and SELinux in enforcingmode terminates with the Segmentation fault error. A lot of SELinux denial warnings occurs onsystems with active MLS policy and SELinux in permissive mode. The combination of SELinux MLSpolicy with kernel version 4.14 is not supported.

kdump saves the vmcore only if mpt3sas is blacklisted

7.5 Release Notes

88

When kdump kernel loads the mpt3sas driver, the kdump kernel crashes and fails to save the vmcoreon certain POWER9 systems. To work around this problem, blacklist mpt3sas from the kdump kernelenvironment by appending the module_blacklist=mpt3sas string to the KDUMP_COMMANDLINE_APPEND variable in the /etc/sysconfig/kdump file:

KDUMP_COMMANDLINE_APPEND="irqpoll maxcpus=1 ... module_blacklist=mpt3sas"

Then restart the kdump service to pick up the changes to the configuration file by running the systemctl restart command as the root user:

~]# systemctl restart kdump.service

As a result, kdump is now able to save the vmcore on the POWER9 systems. (BZ#1496273)

Recovering from OOM situation fails due to incorrect function of OOM-killerRecovering from an out-of-memory (OOM) situation does not work correctly on systems with largeamounts of memory. Kernel's OOM-killer kills the process using the most memory and frees the memoryto be used again. However, sometimes the OOM-killer does not wait long enough before killing a secondprocess. Eventually, the OOM-killer kills all the processes on the system and logs this error:

Kernel panic - not syncing: Out of memory and no killable processes...

If this happens, the operating system must be rebooted. There is no available workaround.(BZ#1405748)

HTM is disabled for guests running on IBM POWER systemsThe Hardware Transactional Memory (HTM) feature currently prevents migrating guest virtual machinesfrom IBM POWER8 to IBM POWER9 hosts, and has therefore been disabled by default. As aconsequence, guest virtual machines running on IBM POWER8 and IBM POWER9 hosts cannot useHTM, unless the feature is manually enabled.

To do so, change the default pseries-rhel7.5 machine type of these guests to pseries-rhel7.4.Note that guests configured this way cannot be migrated from an IBM POWER8 host to an IBMPOWER9 host. (BZ#1525599)

Migrating guests with huge pages from IBM POWER8 to IBM POWER9 failsIBM POWER8 hosts can only use 16MB and 16GB huge pages, but these huge-page sizes are notsupported on IBM POWER9. As a consequence, migrating a guest from an IBM POWER8 host to anIBM POWER9 host fails if the guest is configured with static huge pages.

To work around this problem, disable huge pages on the guest and reboot it prior to migration.(BZ#1538959)

modprobe succeeds to load kernel modules with incorrect parametersWhen attempting to load a kernel module with an incorrect parameter using the modprobe command,the incorrect parameter is ignored, and the module loads as expected on Red Hat Enterprise Linux 7 forARM and for IBM Power LE (POWER9).

Note that this is a different behavior compared to Red Hat Enterprise Linux for traditional architectures,such as AMD64 and Intel 64, IBM z Systems and IBM Power Systems. On these systems, modprobeexits with an error, and the module with an incorrect parameter does not load in the described situation.

On all architectures, an error message is recorded in the dmesg output. (BZ#1449439)


89

20.5. BUG FIXES

kdump no longer hangs due to the attempts to read the memory from on-board devicesOn the little-endian variants of IBM Power Systems hardware, the kdump mechanism becameunresponsive because the kernel attempted to read the memory from on-board devices such as theGPU, and include it as a part of the vmcore. This update fixes kexec-tools to skip the on-boarddevices when attempting to read the memory during kdump. As a result, kdump now works correctly, the vmcore is saved to disk and the operating system reboots as expected. (BZ#1478049)

7.5 Release Notes

90

CHAPTER 21. ATOMIC HOST AND CONTAINERS

Red Hat Enterprise Linux Atomic HostRed Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating systemoptimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest newfeatures, known issues, and Technology Previews.

CHAPTER 21. ATOMIC HOST AND CONTAINERS

91

https://access.redhat.com/documentation/en/red-hat-enterprise-linux-atomic-host/7/single/release-notes/

CHAPTER 22. RED HAT SOFTWARE COLLECTIONSRed Hat Software Collections is a Red Hat content set that provides a set of dynamic programminglanguages, database servers, and related packages that you can install and use on all supportedreleases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, the 64-bit ARMarchitecture, IBM z Systems, and IBM POWER, little endian. Certain components are available also forall supported releases of Red Hat Enterprise Linux 6 on AMD64 and Intel 64 architectures.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform.It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development,debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separateSoftware Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections donot replace the default system tools provided with Red Hat Enterprise Linux, nor are they used inpreference to these tools. Red Hat Software Collections uses an alternative packaging mechanismbased on the scl utility to provide a parallel set of packages. This set enables optional use of alternativepackage versions on Red Hat Enterprise Linux. By using the scl utility, users can choose whichpackage version they want to run at any time.

IMPORTANT

Red Hat Software Collections has a shorter life cycle and support term than Red HatEnterprise Linux. For more information, see the Red Hat Software Collections Product LifeCycle.

See the Red Hat Software Collections documentation for the components included in the set, systemrequirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components includedin this Software Collection, installation, usage, known problems, and more.

7.5 Release Notes

92

https://access.redhat.com/support/policy/updates/rhscl

https://access.redhat.com/documentation/en-US/red_hat_software_collections

https://access.redhat.com/documentation/en-US/red_hat_developer_toolset


This part describes bugs fixed in Red Hat Enterprise Linux 7.5 that have a significant impact on users.


93


runc notifies systemd about user-specified CPU quota limitsPreviously, the runc program did not notify systemd about user-specified CPU quota limits when acontainer was started. Consequently, systemd was unaware of the user-specified limits, and thereforethe CPU quota was reset to the default value (unlimited) during the systemctl daemon-reloadoperation. With this update, runc now notifies systemd about user-specified CPU quota limits when acontainer is started, and the described problem no longer occurs. (BZ#1455071)

Segmentation faults in applications because of only non-existent paths in LD_LIBRARY_PATH no longer happenPreviously, when the LD_LIBRARY_PATH environment variable contained only non-existent paths, thedynamic loader produced a segmentation fault. Consequently, applications terminated unexpectedly witha segmentation fault at startup in the described situation. The dynamic loader has been fixed. As aresult, applications no longer terminate unexpectedly in the described situation.

Note that updating the glibc package is enough to fix this bug for any affected applications.(BZ#1443236)

The setup package now creates the tape group with the correct group numberPreviously, when installing the setup package, the tape group was created with an ID that wasinconsistent with all other versions of Red Hat Enterprise Linux. With this update, the group ID has beenchanged from 30 to the standard 33. As a result, fresh installations of the operating system now have thecorrect group number for the tape group.

On previously installed systems affected by this problem:

1. Edit the group ID in the /etc/group and /etc/gshadow files.

2. Change the group ownership for all files owned by the former tape group. (BZ#1433020)

7.5 Release Notes

94



The IdM LDAP server no longer becomes unresponsive when resolving an ADuser takes a long timeWhen the System Security Services Daemon (SSSD) took a long time to resolve a user from a trustedActive Directory (AD) domain on the Identity Management (IdM) server, the IdM LDAP server sometimesexhausted its own worker threads. Consequently, the IdM LDAP server was unable to respond to furtherrequests from SSSD clients or other LDAP clients. This update adds a new API to SSSD on the IdMserver, which enables identity requests to time out. Also, the IdM LDAP extended identity operationsplug-in and the Schema Compatibility plug-in now support this API to enable canceling requests that taketoo long. As a result, the IdM LDAP server can recover from the described situation and keep respondingto further requests. (BZ#1415162, BZ#1473571, BZ#1473577)

Application configuration snippets in /etc/krb5.conf.d/ are now automaticallyread in existing configurationsPreviously, Kerberos did not automatically add support for the /etc/krb5.conf.d/ directory toexisting configurations. Consequently, application configuration snippets in /etc/krb5.conf.d/ werenot read unless the user added the include statement for the directory manually. This update modifiesexisting configurations to include the appropriate includedir line pointing to /etc/krb5.conf.d/.As a result, applications can rely on their configuration snippets in /etc/krb5.conf.d.

Note that if you manually remove the includedir line after this update, successive updates will not addit again. (BZ#1431198)

pam_mkhomedir can now create home directories under /Previously, the pam_mkhomedir module was unable to create subdirectories under the / directory.Consequently, when a user with a home directory in a non-existent directory under / attempted to log in,the attempt failed with this error:

Unable to create and initialize directory '/<directory_path>'.

This update fixes the described problem, and pam_mkhomedir is now able to create home directories inthis situation.

Note that even after applying this update, SELinux might still prevent pam_mkhomedir from creating thehome directory, which is the expected SELinux behavior. To ensure pam_mkhomedir is allowed tocreate the home directory, modify the SELinux policy using a custom SELinux module, which enables therequired paths to be created with the correct SELinux context. (BZ#1509338)

Kerberos operations depending on KVNO in the keytab file no longer fail when aRODC is usedThe adcli utility did not handle the key version number (KVNO) properly when updating Kerberos keyson a read-only domain controller (RODC). Consequently, some operations, such as validating aKerberos ticket, failed because no key with a matching KVNO was found in the keytab file. With thisupdate, adcli detects if a RODC is used and handles the KVNO accordingly. As a result, the keytab filecontains the right KVNO, and all Kerberos operations depending on this behavior work as expected.(BZ#1471021)

krb5 properly displays errors about PKINIT misconfiguration in single-realm KDCenvironmentsPreviously, when Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) wasmisconfigured, the krb5 package did not report the incorrect configuration to the administrator. Forexample, this problem occurred when the deprecated pkinit_kdc_ocsp option was specified in the


95






/etc/krb5.conf file. With this update, krb5 exposes PKINIT initialization failures when only one realmis specified in the Kerberos key distribution center (KDC). As a result, single-realm KDCs report PKINITmisconfiguration properly. (BZ#1460089)

Certificate System no longer incorrectly logs ROLE_ASSUME audit eventsPreviously, Certificate System incorrectly generated the ROLE_ASSUME audit event for certain operationseven if no privileged access occurred for a user. Consequently, the event was incorrectly logged. Theproblem has been fixed and ROLE_ASSUME events are no longer logged in the mentioned scenario.(BZ#1461524)

Updated attributes in CERT_STATUS_CHANGE_REQUEST_PROCESSED audit log eventPreviously, the CERT_STATUS_CHANGE_REQUEST_PROCESSED audit event in log files contained thefollowing attributes:

ReqID - The requester ID

SubjectID - The subject ID of the certificate

For consistency with other audit events, the attributes have been modified and now contain the followinginformation:

ReqID - The request ID

SubjectID - The requester ID (BZ#1461217)

Signed audit log verification now works correctlyPreviously, due to improper logging system initialization and incorrect signature calculation by theverification tool, signed audit log verification could fail on the first log entry and after log rotation. With thisupdate, the logging system and the verification tool have been fixed. As a result, signed audit logverification now works correctly in the mentioned scenarios. (BZ#1404794)

Certificate System now validates the banner fileA previous version of Certificate System introduced a configurable access banner - a custom message tobe displayed in the PKI console at the start of every secure session. The contents of this banner were notvalidated, which could cause a JAXBUnmarshalException error if the message contained invalidUTF-8 characters. With this update, the contents of the banner file are validated both on server startupand on client requests. If the file is found to contain invalid UTF-8 characters on server startup, the serverwill not start. If invalid characters are found when a client requests the banner, the server will return anerror message and not send the banner to the client. (BZ#1446579)

The TPS subsystem no longer fails when performing a symmetric key changeoveron a HSMPreviously, attempting to perform a symmetric key changeover with the master key on a HardwareSecurity Module (HSM) token failed with an error reported by the Certificate System Token ProcessingSystem (TPS) subsystem. This update fixes the way the master key on a HSM is used to calculate thenew key set, allowing the TPS to successfully upgrade a token key set when the master resides on aHSM. The fix is currently verified with the G&D SmartCafe 6.0 HSM. (BZ#1465142)

Certificate System CAs no longer display an error when handing subject DNswithout a CN componentPreviously, an incoming request missing the Common Name (CN) component caused a NullPointerException on the Certificate Authority (CA) because the implementation expected theCN to be present in the subject Distinguished Name (DN) of the Certificate Management over CMS(CMC). This update allows the CA to handle subject DN without a CN component, preventing theexception from being thrown. (BZ#1474658)

7.5 Release Notes

96





The pki-server-upgrade utility no longer fails if target files are missingA bug in the pki-server-upgrade utiltiy caused it to attempt to locate a non-existent file. As aconsequence, the upgrade process failed to complete, and could possibly leave the PKI deployment inan invalid state. With this update, pki-server-upgrade has been modified to correctly handle caseswhere target files are missing, and PKI upgrades now work correctly. (BZ#1479663)

The Certificate System CA key replication now works correctlyA previous update to one of the key unwrapping functions introduced a requirement for a key usageparameter which was not being supplied at the call site, which caused lightweight Certiciate Authority(CA) key replication to fail. This bug has been fixed by modifying the call site so that it supplies the keyusage parameter, and lightweight CA key replication now works as expected. (BZ#1484359)

Certificate System no longer fails to import PKCS #12 filesAn earlier change to PKCS #12 password encoding in the Network Security Services (NSS) causedCertificate System to fail to import PKCS #12 files. As a consequence, the Certificate Authority (CA)clone installation could not be completed. With this update, PKI will retry a failed PKCS #12 decryptionwith a different password encoding, which allows it to import PKCS #12 files produced by both old andnew versions of NSS, and CA clone installation succeeds. (BZ#1486225)

The TPS user interface now displays the token type and origin fieldsPreviously, the tps-cert-find and tps-cert-show Token Processing System (TPS) user interfaceutilites did not display the token type and origin fields which were present in the legacy TPS interface.The interface has been updated and now displays the missing information. (BZ#1491052)

Certificate System issued certificates with an expiration date later than theexpiration date of the CA certificatePreviously, when signing a certificate for an external Certificate Authority (CA), Certificate System usedthe ValidityConstraint plug-in. Consequently, it was possible to issue certificates with a later expirydate than the expiry date of the issuing CA. This update adds the CAValidityConstraint plug-in tothe registry so that it becomes available for the enrollment profiles. In addition, the ValidityConstraint plug-in in the caCMCcaCert profile has been replaced with the CAValidityConstraint plug-in which effectively sets the restrictions. As a result, issuing certificateswith an expiry date later than the issuing CA is no longer allowed. (BZ#1518096)

CA certificates without SKI extension no longer causes issuance failuresA previous update of Certificate System incorrectly removed a fallback procedure, which generated theIssuer Key Identifier. Consequently, the Certificate Authority (CA) failed to issue certificates if the CAsigning certificate does not have the Subject Key Identifier (SKI) extension set. With this update, themissing procedure has been added again. As a result, issuing certificates no longer fails if the CAsigning certificate does not contain the SKI extension. (BZ#1499054)

Certificate System correctly logs the user name in CMC request audit eventsPreviously, when Certificate System received a Certificate Management over CMS (CMC) request, theserver logged an audit event with the SubjectID field set to $NonRoleUser$. As a result,administrators could not verify who issued the request. This update fixes the problem, and CertificateSystem now correctly logs the user name in the mentioned scenario. (BZ#1506819)

The Directory Server trivial word check password policy now works as expectedPreviously, when you set a userPassword attribute to exactly the same value as an attribute restrictedby the passwordTokenMin setting with the same length, Directory Server incorrectly allowed thepassword update operation. With this update, the trivial word check password policy feature nowcorrectly verifies the entire user attribute value as a whole, and the described problem no longer occurs.(BZ#1517788)


97








The pkidestroy utility now fully removes instances that are started by the pki-tomcatd-nuxwdog servicePreviously, the pkidestroy utility did not remove Certificate System instances that used the pki-tomcatd-nuxwdog service as a starting mechanism. As a consequence, administrators had to migrate pki-tomcatd-nuxwdog to the service without watchdog before using pkidestroy to fully remove aninstance. The utility has been updated, and instances are correctly removed in the mentioned scenario.

Note that if you manually removed the password file before running pkidestroy, the utility will ask forthe password to update the security domain. (BZ#1498957)

The Certificate System deployment archive file no longer contains passwords inplain textPreviously, when you created a new Certificate System instance by passing a configuration file with apassword in the [DEFAULT] section to the pkispawn utility, the password was visible in the archiveddeployment file. Although this file has world readable permissions, it is contained within a directory that isonly accessible by the Certificate Server instance user, which is pkiuser, by default. With this update,permissions on this file have been restricted to the Certificate Server instance user, and pkispawn nowmasks the password in the archived deployment file.

To restrict access to the password on an existing installation, manually remove the password from the /etc/sysconfig/pki/tomcat/<instance_name>/<subsystem>/deployment.cfg file, and setthe file's permissions to 600. (BZ#1532759)

ACIs with the targetfilter keyword work correctlyPreviously, if an Access Control Instruction (ACI) in Directory Server used the targetfilter keyword,searches containing the geteffective rights control returned before the code was executed fortemplate entries. Consequently, the GetEffectireRights() function could not determine thepermissions when creating entries and returned false-negative results when verifying an ACI. With thisupdate, Directory Server creates a template entry based on the provided geteffective attribute andverifies access to this template entry. As a result, ACIs in the mentioned scenario work correctly.(BZ#1459946)

Directory Server searches with a scope set to one have been fixedDue to a bug in Directory Server, searches with a scope set to one returned all child entries instead ofonly the ones that matched the filter. This update fixes the problem. As a result, searches with scope one only return entries which are matching the filter. (BZ#1511462)

Clear error message when sending TLS data to a non-LDAPS portPreviously, Directory Server decoded TLS protocol handshakes sent to a port that was configured to useplain text as an LDAPMessage data type. However, decoding failed and the server reported themisleading BER was 3 bytes, but actually was <greater> error. With this update, DirectoryServer detects if TLS data is sent to a port configured for plain text and returns the following errormessage to the client:

Incoming BER Element may be misformed. This may indicate an attempt to use TLS on a plaintext port, IE ldaps://localhost:389. Check your client LDAP_URI settings.

As a result, the new error message indicates that an incorrect client configuration causes the problem.(BZ#1445188)

Directory Server no longer logs an error if not running the cleanallruv taskAfter removing a replica server from an existing replication topology without running the cleanallruv

7.5 Release Notes

98






task, Directory Server previously logged an error about not being able to replace referral entries. Thisupdate adds a check for duplicate referrals and removes them. As a result, the error is no longer logged.(BZ#1434335)

Using a large number of CoS templates no longer slow down the virtual attributeprocessing timeDue to a bug, using a large number of Class of Service (CoS) templates in Directory Server increasedthe virtual attribute processing time. This update improves the structure of the CoS storage. As a result,using a large number of CoS templates no longer increases the virtual attribute processing time.(BZ#1523183)

Directory Server now handles binds during an online initialization correctlyDuring an online initialization from one Directory Server master to another, the master receiving thechanges is temporarily set into a referral mode. While in this mode, the server only returns referrals.Previously, Directory Server incorrectly generated these bind referrals. As a consequence, the servercould terminate unexpectedly in the mentioned scenario. With this update, the server correctly generatesbind referrals. As a result, the server now correctly handles binds during an online initialization.(BZ#1483681)

The [email protected] meta target is now linked to multi-user.targetPreviously, the [email protected] meta target had the Wants parameter set to dirsrv.target in itssystemd file. When you enabled [email protected], this correctly enabled the service to the dirsrv.target, but dirsrv.target was not enabled. Consequently, Directory Server did not startwhen the system booted. With this update, the [email protected] meta target is now linked to multi-user.target. As a result, when you enable [email protected], Directory Server starts automaticallywhen the system boots. (BZ#1476207)

The memberOf plug-in now logs all update attempts of the memberOf attributeIn certain situations, Directory Server fails to update the memberOf attribute of a user entry. In this case,the memberOf plug-in logs an error message and forces the update. In the previous Directory Serverversion, the second try was not logged if it was successful. Consequently, the log entries weremisleading, because only the failed attempt was logged. With this update, the memberOf plug-in alsologs the successful update if the first try failed. As a result, the plug-in now logs the initial failure, and thesubsequent successful retry as well. (BZ#1533571)

The Directory Server password policies now work correctlyPreviously, subtree and user password policies did not use the same default values as the globalpassword policy. As a consequence, Directory Server incorrectly skipped certain syntax checks. This bughas been fixed. As a result, the password policy features work the same for the global configuration andthe subtree and user policies. (BZ#1465600)

A buffer overflow has been fixed in Directory ServerPreviously, if you configured an attribute to be indexed and imported an entry that contained a largebinary value into this attribute, the server terminated unexpectedly due to an buffer overflow. The bufferhas been fixed. As a result, the server works as expected in the mentioned scenario. (BZ#1498980)

Directory Server now sends the password expired control during grace loginsPreviously, Directory Server did not send the expired password control when an expired password hadgrace logins left. Consequently, clients could not tell the user that the password was expired or howmany grace logins were left. The problem has been fixed. As a result, clients can now tell the user if apassword is expired and how many grace logins remain. (BZ#1464505)

An unnecessary global lock has been removed from Directory Server


99









Previously, when the memberOf plug-in was enabled and users and groups were stored in separateback ends, a deadlock could occur. An unnecessary global lock has been removed and, as a result, thedeadlock no longer occurs in the mentioned scenario. (BZ#1501058)

Replication now works correctly with TLS client authentication and FIPS modeenabledPreviously, if you used TLS client authentication in a Directory Server replication environment withFederal Information Processing Standard (FIPS) mode enabled, the internal Network Security Services(NSS) database token differed from a token on a system with FIPS mode disabled. As a consequence,replication failed. The problem has been fixed, and as a result, replication agreements with TLS clientauthentication now work correctly if FIPS mode is enabled. (BZ#1464463)

Directory Server now correctly sets whether virtual attributes are operationalThe pwdpolicysubentry subtree password policy attribute in Directory Server is flagged asoperational. However, in the previous version of Directory Server, this flag was incorrectly applied tofollowing virtual attributes that were processed. As a consequence, the search results were not visible tothe client. With this update, the server now resets the attribute before processing the next virtual attributeand Class of Service (CoS). As a result, the expected virtual attributes and CoS are now returned to theclient. (BZ#1453155)

Backup now succeeds if replication was enabled and a changelog file existedPreviously, if replication was enabled and a changelog file existed, performing a backup on this masterserver failed. This update sets the internal options for correctly copying a file. As a result, creating abackup now succeeds in the mentioned scenario. (BZ#1476322)

Certificate System updates the revocation reason correctlyPreviously, if a user temporarily lost a smart card token, the administrator of a Certificate System TokenProcessing System (TPS) in some cases changed the status of the certificate from on hold to permanently lost or damaged. However, the new revocation reason did not get reflected on the CA.With this update, it is possible to change a certificate status from on hold directly to revoked. As aresult, the revocation reason is updated correctly. (BZ#1500474)

A race condition has been fixed in the Certificate System clone installationprocessIn certain situations, a race condition arose between the LDAP replication of security domain sessionobjects and the execution of an authenticated operation against a clone other than the clone where thelogin occurred. As a consequence, cloning a Certificate System installation failed. With this update, theclone installation process now waits for the security domain login to finish before it enables the securitydomain session objects to be replicated to other clones. As a result, the clone installation no longer fails.(BZ#1402280)

Certificate System now uses strong ciphers by defaultWith this update, the list of enabled ciphers has been changed. By default, only strong ciphers, which arecompliant with the Federal Information Processing Standard (FIPS), are enabled in Certificate System.

RSA ciphers enabled by default:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

7.5 Release Notes

100





TLS_RSA_WITH_AES_128_CBC_SHA256


TLS_RSA_WITH_AES_128_CBC_SHA


Note that the TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA ciphersneed to be enabled to enable the pkispawn utility to connect to the LDAP server during the installationand configuration.

ECC ciphers enabled by default:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA


TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA


TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

In addition, the default ranges of the sslVersionRangeStream and sslVersionRangeDatagramparameters in the /var/lib/pki/<instance_name>/conf/server.xml file now use only TLS 1.1and TLS 1.2 ciphers. (BZ#1539125)

The pkispawn utility no longer displays incorrect errorsPreviously, during a successful installation of Certificate System, the pkispawn utility incorrectlydisplayed errors related to deleting temporary certificates. The problem has been fixed, and the errormessages no longer display if the installation succeeds. (BZ#1520277)

The Certificate System profile configuration update method now correctly handlesbackslashesPreviously, a parser in Certificate System removed backslash characters from the configuration when auser updated a profile. As a consequence, affected profile configurations could not be correctly imported,and issuing certificates failed or the system issued incorrect certificates. Certificate System now uses aparser that handles backslashes correctly. As a result, profile configuration updates import theconfiguration correctly. (BZ#1541853)


101





Pacemaker correctly implements fencing and unfencing for Pacemaker remotenodesPreviously, Pacemaker did not implement unfencing for Pacemaker remote nodes. As a consequence,Pacemaker remote nodes remained fenced even if a fence device required unfencing. With this update,Pacemaker correctly implements both fencing and unfencing for Pacemaker remote nodes, and thedescribed problem no longer occurs. (BZ#1394418)

Pacemaker now probes guest nodesImportant update for users of guest nodes.

Pacemaker now probes guest nodes, which are Pacemaker remote nodes created using the remote-node parameter of a resource such as VirtualDomain. If users were previously relying on the fact thatprobes were not done, the probes may fail, potentially causing fencing of the guest node. If a guest nodecannot run a probe of a resource (for example, if the software is not even installed on the guest), thenthe location constraint banning the resource from the guest node should have the resource-discovery option set to never, the same as would be required with a cluster node or remote node inthe same situation. (BZ#1489728)

The pcs resource cleanup command no longer generates unnecessary clusterloadThe pcs resource cleanup command cleans the records of failed resource operations that havebeen resolved. Previously, the command probed all resources on all nodes, generating an unnecessaryload on cluster operation. With this fix, the command probes only the resources for which a resourceoperation failed. The previous functionality of the pcs resource cleanup command has beenreplaced by the new pcs resource refresh command, which probes all resources on all nodes. Forinformation on cluster resource cleanup, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/high_availability_add-on_reference/#s1-resource_cleanup-HAAR. (BZ#1508351)

Warning generated when user specifies action attribute for stonith devicePreviously, it was possible for a user to set an action attribute for a stonith device, even though thisoption is deprecated and is not recommended as it can cause unexpected fencing. The following fixeshave been implemented:

When a user tries to set an action option of a stonith device with the CLI, this generates awarning message along with the instructions to use the --force flag to set this attribute.

The pcsd Web UI now displays a warning message next to action option field.

The output of the pcs status command displays a warning when a stonith device has the action option set. (BZ#1421702)

It is now possible to enable stonith agent debugging without specifying the --force flagPreviously, attempting to enable debugging of a stonith agent by setting the debug or verboseparameters required that the user specify the --force flag. With this fix, using the --force flag is nolonger necessary. (BZ#1432283)

The fence_ilo3 resource agent no longer has a default value of cycle for the action parameterPreviously, the fence_ilo3 resource agent had a default value of cycle for the action parameter.

7.5 Release Notes

102



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/high_availability_add-on_reference/#s1-resource_cleanup-HAAR



This value is unsupported, as it may cause data corruption. The default value for this parameter is now onoff. Additionally, a warning is now displayed in the output of the pcs status command and the webUI if a stonith device has its method option set to cycle. (BZ#1519370, BZ#1523378)

Pacemaker no longer starts up when sbd is enabled but not started successfullyby systemdPreviously, if sbd did not start properly, systemd would still start Pacemaker. This would lead to sbdpoison pill triggered reboots not being performed without this being detected by fence_sbd and, in thecase of quorum-based watchdog fencing, the nodes losing quorum would not self-fence either. With thisfix, if sbd does not come up properly Pacemaker is not started. This should prevent all sources of datacurruption due to sbd not coming up. (BZ#1525981)

A fenced node in an ‘sbd’ setup now shuts down reliablyPreviously, when a node received an ‘off’ via the poison pill mechanism used by ‘sbd’ on a shared disk,the node would be likely to reboot instead of powering off. With this fix, receiving an ‘off’ will power off thenode. Receiving a ‘reset’ will reboot the node. If the node is not able to perform the software-drivenreboot or power off properly, the watchdog is going to trigger and the action performed is what thewatchdog device is configured to. A fenced node in an ‘sbd’ setup now shuts down reliably if thewatchdog device is configured to power off the node, and fencing is requesting ‘off’ via the poison pillmechanism on a shared disk. (BZ#1468580)

IPaddr2 resource agent now finds NIC for IPv6 addresses with 128 netmaskPreviously, the IPaddr2 resource agent failed to find the NIC for IPv6 addresses with 128 netmask.This fix corrects that issue. (BZ#1445628)

portblock agent no longer yields excessive unnecessary messagesPreviously, the portblock agent would flood the /var/log/messages file with monitoring messagesthat provided no useful information. With this fix, the /var/log/messages file contains more limitedlogging output from the portblock agent. (BZ#1457382)

/var/run/resource-agents directory now persists across rebootsPreviously, the /var/run/resource-agents directory, created at installation of the resource-agents package, was not persistent across reboots. With this fix, the directory is now present after areboot. (BZ#1462802)


103








Package selection now works in system-config-kickstartA bug in the system-config-kickstart graphical Kickstart file creation utility caused the packageselection to be unavailable because the tool could not download package information from repositories.This bug is now fixed, and you can now configure package selection in system-config-kickstartagain. (BZ#1272068)

NVMe devices no longer show up as Unknown in parted and AnacondaPreviously, any Non-Volatile Memory Express (NVMe) devices were not being recognized by the Anaconda installer and the parted storage configuration tool during the installation, and were insteadbeing labeled as Model: Unknown (unknown). This update backports an upstream patch thatenables recognition of these devices, and they are now being correctly identified as NVMe Device (nvme) during installation. (BZ#1316239)

DBD::MySQL now sends and receives smaller integers correctly on big-endianplatformsPreviously, the DBD::MySQL Perl driver incorrectly handled integers smaller than 64 bits on big endianplatforms. Consequently, tests for prepared statements failed for certain variable sizes on the IBM zSystems architecture. This bug has been fixed, and the described problem no longer occurs.(BZ#1311646)

The version Perl module now supports tainted input and tainted version objectsPreviously, the version module of Perl was unable to correctly parse tainted input. Consequently,when building a version object from a tainted variable, the version->new() method reported the Invalid version format (non-numeric data) error. This update adds support for parsingtainted input and for printing tainted version objects and strings. (BZ#1378885)

The HTTP::Daemon Perl module now supports IPv6Previously, the HTTP::Daemon Perl module did not support IPv6 addresses. Consequently, whenrunning an HTTP::Daemon::SSL server on an IPv6 address, the server terminated unexpectedly on anattempt to print the IPv6 address with an Arg length for inet_ntoa error message. With thisupdate, the HTTP::Daemon module has been ported from the IO::Socket::INET to the IO::Socket::IP module. As a result, HTTP::Daemon handles IPv6 addresses as expected.(BZ#1413065)

GDB shows inline function names in breakpoint listingPreviously, the GDB debugger showed caller function names instead of inlined callee function nameswhen listing breakpoints. As a consequence, GDB users were not able to identify breakpoints placed oninline functions from the function name. GDB has been extended to store names of inline callee functionswhen breakpoints are placed. As a result, GDB now correctly displays names of inline functions whenlisting breakpoints. (BZ#1228556)

Relocation failures at module load time due to wrong GCC alignment fixedPreviously, GCC generated code containing .toc sections with 2^0 alignment. As a consequence,relocation failures could occur at module load time. GCC has been changed to generate .toc sectionsaligned to 2^3. This fix eliminates most cases of occurrence of this bug. (BZ#1487434)

The istream::sentry object from the gcc C++ standard library no longer throwsexceptionsPreviously, the istream::sentry object from the gcc C++ standard library did not properly handleexceptions that happen while skipping whitespace. As a consequence, an unexpected exception could

7.5 Release Notes

104




occur in the object's code. The constructor for the sentry class has been fixed to catch the exceptionsand update the error state of the istream object appropriately. (BZ#1469384)

Multiple fixes in gdb on IBM PowerPreviously, various features of the gdb debugger have been broken on the IBM Power architecture:

Record and replay functionality was not available and resulted in error messages or not restoringthe previous register values.

Printing short vector return values resulted in wrong values displayed.

Single stepping over atomic sequences failed to actually step over them - the program counterdid not change.

This update fixes these features. (BZ#1480498, BZ#1480496, BZ#1480497)

GDB no longer crashes when dumping core from a process that terminatesPreviously, the GDB debugger did not consider that a process can be terminated while GDB is dumping itinto a core file. As a consequence, when a dumped program terminated after receiving an unexpected SIGKILL signal, the gcore utility terminated unexpectedly as well. With this update, GDB has beenextended to handle this situation. As a result, GDB and the gcore command no longer terminateunexpectedly and create invalid core files. (BZ#1493675)

GDB can again dump memory protected by the VM_DONTDUMP flagPrevious changes to the GNU Debugger GDB made the behavior of the gcore command more similar tothe behavior of the Linux kernel when dumping process memory to increase data security. Consequently,users of GDB could not dump memory protected by the VM_DONTDUMP flag. The new set dump-excluded-mappings setting has been added to GDB to enable dumping of memory with this flag. As aresult, users can dump the whole process memory with GDB again. (BZ#1518243)

Programs using the CLONE_PTRACE flag on threads now run under stracePreviously, programs which set the CLONE_PTRACE flag on new threads caused undefined behavior ofthe strace tool, because it uses the ptrace() function for its operation. As a consequence, suchprograms could be neither traced nor executed properly. The strace tool has been modified to ignorethreads with an unexpected CLONE_PTRACE flag. As a result, programs which use CLONE_PTRACEexecute properly under strace. (BZ#1466535)

exiv2 rebased to version 0.26The exiv2 packages have been upgraded to upstream version 0.26, which provides a number of bugfixes and enhancements over the previous version. Notably, exiv2 now contains:

CMake support for Visual Studio

Recursive File Dump

ICC Profile Support

The exiv2 command for metadata piping

Lens File for user lens definitions

User defined lens types

WebP Support


105



For the complete changelog, see http://www.exiv2.org/changelog.html#v0.26. (BZ#1420227)

gssproxy fixed to properly update ccachesPreviously, the gssproxy package did not correctly handle the key version number (kvno) incrementationin Kerberos credential caches (ccaches). As a consequence, stale ccaches were not properlyoverwritten. This update fixes these problems in gssproxy ccache caching. As a result, ccaches are nowproperly updated, and the caching prevents excessive requests for updates. (BZ#1488629)

gcc on the little-endian variant of IBM Power Systems architecture no longercreates unused stack framesPreviously, using the -pg -mprofile=kernel options of the gcc compiler on the little-endian variantof IBM Power Systems architecture could result in unused stack frames being generated for leaffunctions. The gcc compiler has been fixed and the unused stack frames no longer occur in thissituation. (BZ#1468546)

Several bugs fixed in gssproxyThis update fixes several bugs in the gssproxy package. The bug fixes include preventing potentialmemory leaks and concurrency problems. (BZ#1462974)

The BFD library regains the ability to convert binary addresses to source codepositionsA previous enhancement to the BFD library from the binutils package caused a bug in parsing theDWARF debug information. As a consequence, BFD and all tools using it, such as gprof and perf,were unable to convert binary file addresses to positions in source code. With this update, BFD has beenmodified to prevent the described problem. As a result, BFD can now convert addresses in binary filesinto positions in source code as expected.

Note that tools that use the BFD library must be relinked in order to take advantage of this fix.(BZ#1465318)

Applications using vector registers for passing arguments work againPreviously, the dynamic loader in the GNU C library ( glibc ) contained an optimization which avoidedsaving and restoring vector registers for 64-bit Intel and AMD architectures. Consequently, applicationscompiled for these architectures and using unsupported vector registers for passing function arguments,not adhering to the published x86-64 psABI specification, could fail and produce unexpected results. Thisupdate changes the dynamic loader to use the XSAVE and XSAVEC context switch CPU instructions,preserving more CPU state, including all vector registers. As a result, applications using vector registersfor argument passing, in ways which are not supported by the x86-64 psABI specification, work again.(BZ#1504969)

curl now properly resets the HTTP authentication statePrior to this update, the authentication state was not reset properly when an HTTP transfer finished orwhen the 'curl_easy_reset()' function was called. Consequently, the curl tool did not send the requestbody to the following URL. With this update, the authentication state is reset properly when an HTTPtransfer is done or when curl_easy_reset() is called, and the described problem no longer occurs.(BZ#1511523)

The strip utility works againPreviously, the BFD library missed a NULL pointer check on the IBM z Systems architecture. As aconsequence, running the strip utility caused a segmentation fault. This bug has been fixed, and strip now works as expected. (BZ#1488889)

Importing python modules generated by f2py now works properlyPreviously, when dynamic linking loader was configured to load symbols globally, a segmentation fault

7.5 Release Notes

106

http://www.exiv2.org/changelog.html#v0.26




occurred when importing any python module generated by the f2py utility. This update renames the PyArray_API symbol to _npy_f2py_ARRAY_API, which prevents potential conflicts with the samesymbol in the multiarray module. As a result, importing modules generated by f2py no longer leads to asegmentation fault. (BZ#1167156)

mailx is not encoding multi-byte subjects properlyPreviously, the mailx mail user agent did not split non-ASCII message headers on multi-byte characterboundaries when encoding into the Multipurpose Internet Mail Extension (MIME) standard. As aconsequence, the headers were incorrectly decoded. This update modifies the MIME encoding functionso that it splits headers into encoded words on multi-byte character boundaries. As a result, mailx nowsends messages with headers that can be properly decoded. (BZ#1474130)

The --all-logs option now works as expected in sosreportPreviously, the --all-logs option was ignored by the apache, nscd, and logs plug-ins of the sosreport utility. This bug has been fixed, and the mentioned plug-ins now correctly handle --all-logs. Note that when using --all-logs, it is impossible to limit the size of the log with the --log-size option, which is an expected behavior. (BZ#1183243)

Python scripts can now correctly connect to HTTPS servers through a proxy,while explicitly setting the portThe Python standard library provided in Red Hat Enterprise Linux was previously updated to enablecertificate verification by default. However, a bug prevented Python scripts using the standard libraryfrom connecting to HTTPS servers using a proxy when explicitly setting the port to connect to. The samebug also prevented users from using the bootstrap script for registration with Red Hat Satellite 6 througha proxy. This bug is now fixed, and scripts can now connect to HTTPS servers and register using RedHat Satellite as expected. (BZ#1483438)


107



CHAPTER 27. DESKTOP

Stylus of Dell Canvas 27 fixedPreviously, Dell Canvas 27 contained a Wacom tablet in which the ranges were offset by default. As aconsequence, the stylus mapped to the upper left quarter of the screen. Red Hat Enterprise Linux 7.5supports the stylus of the Dell Canvas 27, making sure coordinates are accurately reported. As a result,the cursor is placed directly under the tip of the stylus as required. (BZ#1507821)

llvmpipe crashes on IBM Power SystemsOn the little-endian variant of IBM Power Systems architecture, a race-condition in GNOME Shell codepreviously caused that, the LLVM engine for Mesa, llvm-private, terminated unexpectedly. Thisupdate disables threading in the JavaScript engine which prevents the segmentation fault from occurring.As a result, llvm-private no longer crashes on IBM Power Systems. (BZ#1523121)

7.5 Release Notes

108


NFS shares no longer become unresponsive after a TCP connection is closedPreviously, NFS clients sometimes entered a 60 second TIME_WAIT period after initiating the TCPdisconnect sequence. This happened only when TCP timestamps were disabled on the connection.During the waiting period, the client was unable to reconnect the NFS TCP connection.

Due to waiting in the TIME_WAIT period, the NFS mount points were unresponsive, an rpciod kernelthread was using 100% CPU, and the retrans number in the output of the nfsstat -r command wasbecoming a very large number. In addition, NFS mounts with lower values of the timeo and retransoptions could cause I/O errors.

With this update, the NFS TCP connection is able to reconnect immediately after a disconnect sequenceusing a different source port. As a result, NFS mounts no longer become unresponsive and rpciod nolonger causes a high system load after a connection is closed. (BZ#1479043)


109


genwqe-tools updated for IBM Power Systems ppc64 and ppc64le architecturesThe genwqe-tools packages have been updated for IBM Power Systems and the little-endian variant ofIBM Power Systems. This enhancement update includes the following backported fixes from genwqe-tools master branch:

the adler32 detect corruption checksum now returns correction on the deflateSetDictionary() function

the deflateSetDictionary() function now returns error on NULL dictionary as required bythe spec file

The debugger has been removed form the zpipe_rnd.c file

Potential overflow in expression has been avoided

Out of bounds access and possible resource leak have been fixed

To simplify contributions, a Contributor License Agreement (CLA) has been changed to theDeveloper's Certificate of Origin (DCO)

Potential security hole has been resolved

The Failure of the Hardware Accelerator Tool genwqe_cksum which causes EEH, has beenresolved

Users of genwqe-tools are advised to upgrade to these updated packages, which fix these bugs and addthese enhancements. (BZ#1456492)

Hardware utility tools now correctly identify recently released hardwarePrior to this update, obsolete ID files caused that recently released hardware connected to a computerwas reported as unknown. To fix this bug, PCI, USB, and vendor device identification files have beenupdated. As a result, hardware utility tools now correctly identify recently released hardware.(BZ#1489281)

7.5 Release Notes

110


The installer no longer crashes when you select an incomplete IMSM RAID arrayduring manual partitioningPreviously, if the system being installed had a storage drive which was previously part of an Intel Matrix(IMSI) RAID array which was broken at the time of the installation, the disk was displayed as Unknown inthe Installation Destination screen in the graphical installer. If you attempted to select this driveas an installation target, the installer crashed with the An unknown error has occured message.This update adds proper handling for such drives, and allows you to use them as standard installationtargets. (BZ#1465944)

Installer now accepts additional time zone definitions in Kickstart filesStarting with Red Hat Enterprise Linux 7.0, Anaconda switched to a different, more restrictive method ofvalidating time zone selections. This caused some time zone definitions, such as Japan, to be no longervalid despite being acceptable in previous versions, and legacy Kickstart files with these definitions hadto be updated or they would default to the Americas/New_York time zone.

The list of valid time zones was previously taken from pytz.common_timezones in the pytz Pythonlibrary. This update changes the validation settings for the timezone Kickstart command to use pytz.all_timezones, which is a superset of the common_timezones list and which allowssignificantly more time zones to be specified. This change ensures that old Kickstart files made for RedHat Enterprise Linux 6 still specify valid time zones.

Note that this change only applies to the timezone Kickstart command. The time zone selection in thegraphical and text-based interactive interfaces remains unchanged. Existing Kickstart files for Red HatEnterprise Linux 7 that had valid time zone selections do not require any updates. (BZ#1452873)

Proxy configuration set up using a boot option now works correctly in AnacondaPreviously, proxy configuration made in the boot menu command line using the proxy= option was notcorrectly applied when probing remote package repositories. This was caused by an attempt to avoid arefresh of the Installation Source screen if network settings were changed. This update improvesthe installer logic so that proxy configuration now applies at all times but still avoids blocking the userinterface on settings changes. (BZ#1478970)

FIPS mode now supports loading files over HTTPS during installationPreviously, installation images did not support FIPS mode (fips=1) during installation where a Kickstartfile is being loaded from an HTTPS source (inst.ks=https://<location>/ks.cfg). This releaseimplements support for this previously missing functionality, and loading files over HTTPS in FIPS modeworks as expected. (BZ#1341280)

Network scripts now correctly update /etc/resolv.confNetwork scripts have been enhanced to update the /etc/resolv.conf file correctly. Notably:

The scripts now update the nameserver and search entries in the /etc/resolv.conf fileafter the DNS* and DOMAIN options, respectively, have been updated in the ifcfg-* files in the/etc/sysconfig/network-scripts/ directory

The scripts now also update the order of nameserver entries after it has been updated in the ifcfg-* files in /etc/sysconfig/network-scripts/

Support for the DNS3 option has been added

The scripts now correctly process duplicate and randomly omitted DNS* options (BZ#1364895)


111




Files with the .old extension are now ignored by network scriptsNetwork scripts in Red Hat Enterprise Linux contain a regular expression which causes them to ignore ifcfg-* configuration files with certain extensions, such as .bak, .rpmnew or .rpmold. However, the.old extension was missing from this set, despite being used in documentation and in commonpractice. This update adds the .old extension into the list, which ensures that script files which use itwill be ignored by network scripts as expected. (BZ#1455419)

Bridge devices no longer fail to obtain an IP addressPreviously, bridge devices sometimes failed to obtain an IP address from the DHCP server immediatelyafter system startup. This was caused by a race condition where the ifup-eth script did not wait for theSpanning Tree Protocol (STP) to complete its startup. This bug has been fixed by adding a delay thatcauses ifup-eth to wait long enough for STP to finish starting. (BZ#1380496)

The rhel-dmesg service can now be disabled correctlyPreviously, even if the rhel-dmesg.service was explicitly disabled using systemd, it continued torun anyway. This bug has been fixed, and the service can now be disabled correctly. (BZ#1395391)

7.5 Release Notes

112




CHAPTER 31. KERNEL

kdump can now capture a vmcore with nokaslr setWhen using nokaslr and crashkernel=xxM,high options, a bug in the implementation of nokaslrprevented the kdump mechanism from capturing a vmcore file. This fix ensures that if nokaslr is set,the original loading address of the kernel is returned. As a result, kdump can now collect a vmcore whenKernel Address Space Layout Randomization (KASLR) is compiled in the kernel, but disabled with nokaslr, and high memory is specified in the crashkernel parameter. (BZ#1467561)

MPOL_PREFERRED policy now works with Transparent Huge Pages (THP) with optimalperformanceAllocating memory on node 1 with the MPOL_PREFERRED policy did not work with Transparent HugePages (THP) enabled, but always fell back to the node 0 local node. Consequently, workloadperformance for multinode systems was significantly impacted. The backported patch ensures MPOL_PREFERRED policy with non-local node is respected, and system performance is back to optimal.(BZ#1476709)

A cgroups deadlock has been fixedIn certain circumstances when using cgroups, a system deadlock occurred due to a race condition. Thisupdate adds a work queue that fixes the race condition, which prevents the deadlock from happening.(BZ#1476040)

System no longer becomes unresponsive when DM thin provisioning is used ontop of a loop devicePreviously, system sometimes became unresponsive when Device Mapper (DM) thin provisioning wasused on top of a loop device. With this update, memory allocation now uses correct gfp mask. As aresult, the described problem no longer occurs. (BZ#1469247)

KASLR now no longer causes mirroring of kernel memory to non-mirroredregionsPrior to this update, with specified mirrored memory regions and kernel address space layoutrandomization (KASLR) enabled kernel memory could be located into non-mirrored memory regions. Asa consequence, non-mirrored memory regions became unmovable. With this update, Kernel memorylocation is restricted from mirror regions. As a result, KASLR no longer causes mirroring of kernelmemory to non-mirrored regions. (BZ#1446684)

Users now receive message with prompt to remove white space characters in the /etc/kdump.conf

Previously, one or more leading white space characters before a kdump configuration item in the /etc/kdump.conf caused incorrect kdump configuration. With this update, an error message withprompt to remove the leading white space characters return to users, and kdump no longer fails due tothe described behavior. (BZ#1476219)

An application with large .bss segment on IBM POWER Systems will no longercause random segmentation faultsPreviously, on IBM POWER Systems architectures, an application with large .bss segment could causethe dynamic linker to terminate unexpectedly. As a consequence, an application launched with thedynamic linker could randomly cause segmentation faults. With this update, the ELF_ET_DYN_BASEvalue has been increased to 4GB for 64-bit implementations and 4MB for 32-bit implementations on thisarchitecture. As a result, an application with large .bss segment on IBM POWER Systems architectureswill not lead to random segmentation faults. (BZ#1432288)

Kernel no longer consumes excessive amounts of resources to calculate load

CHAPTER 31. KERNEL

113


Previously, the kernel calculated load for every task group, including empty task groups, whichconsumed an excessive amount of system resources on systems with a large number of processes. Thisupdate prevents the kernel from calculating the load of empty task groups, which reduces the systemload in the described circumstances. (BZ#1460641)

Cpuset is now able to restore the effective CPU mask after a pair of offline andonline eventsPrior to this update, the cpuset filesystem, which confines processes to processor and memory nodesubsets, had one bitmap set enabled for CPUs used in a cpuset. As a consequence, a CPU offline eventfollowed by a CPU online event caused the affected CPU to be removed from all non-root cpusets. Withthis update, cpuset has two bitmap sets enabled. As a result, cpuset is now able to properly track CPUonline or offline events to restore the effective CPU mask as long as the -o cpuset_v2_mode mountflag is used when mounting cpuset cgroup. (BZ#947004)

Access to /proc/[pid]/maps is now significantly fasterPreviously, the time to locate a task of a stack Virtual Memory Area (VMA) in the [stack:TID]annotation scaled directly with the number of active tasks in the system. As a consequence, the moretasks were running in the system, the slower it was to correctly annotate the stack VMA, which causesslowed access to the /proc/[pid]/maps files. With this update, the [stack:TID] annotation is nolonger used. As a result, access to /proc/[pid]/maps is now significantly faster, particularly when alot of tasks is running in the system. (BZ#1448534)

fadump no longer fails to restartPreviously, fadump stopped during DLPAR memory remove operation and then started to restart. Undercertain circumstances fadump failed to restart. With this update, the described problem no longer occurs.(BZ#1438695)

makedumpfile can now map page table entries correctlyOn some virtual machines running on HP hardware, it was impossible to correctly obtain the physicaladdress of the virtual machine's memory, causing the makedumpfile utility to fail with an error similarto:

readmem: Can't convert a virtual address(ffffffffb21158a0) to physical address

The problem happened because file_size was incorrectly calculated, preventing the readpage_elf() function from working properly. This update fixes the calculation of file_size onthese systems, ensuring that a vmcore file can be collected, and the makedumpfile --mem-usagecommand estimates the vmcore size correctly. (BZ#1448861)

Asymmetric groups are used for overlapping scheduling domainsPreviously, scheduling group construction on certain Non-Uniform Memory Access (NUMA) systemsnegatively influenced thread migration. This situation adversely affected the performance when a taskcould not be migrated to a neighboring NUMA node. With this update, asymmetric groups are used foroverlapping scheduling domains to solve the problem. (BZ#1373534)

The KASLR no longer causes kernel to become unresponsive while booting thesystemPreviously, the kernel sometimes became unresponsive on certain SGI UV systems when the KernelAddress Space Layout Randomization (KASLR) feature was enabled. As a consequence, the systemswere unable to boot. With this update, the kernel does not attempt to adapt the size of the direct mappingwhen KASLR is enabled. As a result, the system now boots normally and the described problem nolonger occurs. (BZ#1457046)

7.5 Release Notes

114

Unplugging a Wacom tablet with ExpressKeys no longer causes the operatingsystem to rebootWhen some Wacom tablets were unplugged from a running GNOME session on Red Hat EnterpriseLinux 7.4, the operating system rebooted within five seconds. This problem was initially observed onWacom model 27QHD devices. This update ensures that the tablet can be unplugged without causingthe operating system to reboot. (BZ#1462363)

Setting memory.kmem.limit_in_bytes no longer causes a problem when removingthat memory cgroup laterPreviously, setting the cgroup memory.kmem.limit_in_bytes parameter caused a problem whenthat memory cgroup was later removed. The problem occurred when an attempt was made to merge thememory cgroup kmem cache, which was not handled properly. This update disables kmem cache mergingfor memory cgroups by backporting the current upstream code, which no longer uses this functionality.(BZ#1442618)

The sha1-avx2 encryption algorithm is now re-enabledDue to a read-beyond error (when the code attempts to read memory outside of its boundary), the sha1-avx2 encryption algorithm was disabled. With this update, the problem has been resolved, andadministrators may now use sha1-avx2. (BZ#1469200)

VXLAN rebased to version 4.14The VXLAN driver has been upgraded to upstream version 4.14, which provides a number of bug fixesover the previous version. Notable changes include the following:

The tunnel source IP address is used in route lookups.

VXLAN Generic Protocol Extension (VXLAN-GPE) now uses the correct Internet AssignedNumbers Authority (IANA) for User Datagram Protocol (UDP) port.

The VNI 0xffffff value can now be used.

A race condition on tunnel removal has been fixed.

Static forwarding database (fdb) entries now behave consistently with Linux bridge.(BZ#1467280)

CHAPTER 31. KERNEL

115


Network operation persists when ip6mr unregisters an already unregistered devicePreviously, the IPv6 multicast routing (ip6mr) code tried to unregister an already unregistereddevice. As a consequence, a bug was reported in the syslog causing the network operation to stop.With this update, ip6mr no longer unregisters devices that are already marked as unregistered. As aresult, no more bugs are reported in syslog, and the network operation persists in the describedscenario. (BZ#1445046)

Sending big files through VTI no longer failsPreviously, when sending a big file through Virtual Tunnel Interface (VTI) failed because VTIdid not handle Path Maximum Transmission Unit (PMTU). As a consequence, files with greatersize than the PMTU size could not be sent. This update adds PMTU handling. As a result, PMTU can beupdated in Tx path, and the described problem no longer occurs. (BZ#1467521)

L2TP with IPv6 encapsulation now works in name spacePreviously, using Layer 2 Tunneling Protocol (L2TP) with IPv6 encapsulation did not supportname space. As a consequence, L2TP could not be used in name space. With this update, L2TP with IPv6 encapsulation is now aware of name space, and the described problem no longer occurs.(BZ#1465711)

Flushing ARP entries no longer failsPreviously, trying to flush an incomplete or failed Address Resolution Protocol (ARP) entry hadno effect. As a consequence, the incomplete ARP entry remained there, and in some cases causedproblems for debugging systems or networks. This update allows for the removal of an incomplete orfailed ARP entry. As a result, users can now get an ARP table as expected. (BZ#1383691, BZ#1469945)

Using cls_matchall with classful queue disciplines no longer causes the kernel tocrashPreviously, the matchall classifier (cls_matchall) did not assign the classic option to a packet. Asa consequence, the kernel terminated unexpectedly when trying to use cls_matchall with classfulqueueing disciplines (classful qdiscs), such as Hierarchical Token Bucket (HTB) or Class BasedQueueing (CBQ). With this update, when cls_matchall processes classid, classid is assigned toa packet. As a result, cls_matchall with classful qdiscs can now be used successfully and theuser-provided value of classid is no longer ignored in the described scenario.

For more details on the kernel actions related to classid, see the OPTIONS section in the tc-matchall (8) man page. (BZ#1460213)

ICMP error packets are no longer lost when a user connects to a closed SCTP portPreviously, when trying to connect to a closed Stream Control Transmission Protocol (SCTP) port, an Internet Control Message Protocol (ICMP) error reply from the server was lost. Thisoccurred only with Network Interface Cards (NICs) that used non-linear buffers to receive data.As a consequence, for a connection to a closed SCTP port, the user was waiting until a timeout insteadof getting the connection refused error message from the server immediately. With this update, thereceived data is handled in a linear way and the ICMP error reply is not lost. As a result, the userreceives the corresponding ICMP error in the described situation. (BZ#1450529)

SCTP now selects the right source addressPreviously, when using a secondary IPv6 address, Stream Control Transmission Protocol (SCTP)selected the source address based on the best prefix matching with the destination address. As aconsequence, in some cases, a packet was sent through an interface with the wrong IPv6 address. With

7.5 Release Notes

116



this update, SCTP uses the address that already exists in the routing table for this specific route. As aresult, SCTP uses the expected IPv6 address as the source address when secondary addresses areused on a host. (BZ#1460106)

Device reference held by iptables CLUSTERIP target is now properly released onnamespace deletionPreviously, the iptables CLUSTERIP target held a direct reference to the network device specified asinput device in the associated rule. When that rule inside a namespace was deleted, the correspondingreference was not released. As a consequence, upon namespace deletion, dangling references held bythe CLUSTERIP target sometimes prevented deletion of network devices contained in the namespace.For this reason, it was not possible to create a device with the same name and the related memory wasnot freed. With this update, the CLUSTERIP target rule reference does not hold the related device but itsindex. As a result, when deleting a namespace, all the rules and references related to this namespaceare also cleared properly. (BZ#1472892)

The nftables configuration files are no longer publicly readablePreviously, during installation in the RPM file, the nftables configuration file mode bits were notadjusted accordingly. As a consequence, the configuration templates in the /etc/nftables directoryand the etc/sysconfig/nftables.conf main configuration file were publicly readable. With thisupdate, the file mode bits are explicitly set to correct values when installing the configuration files. As aresult, the user can now install the configuration files with the correct permissions.

Note that the configuration files which are not modified by the administrator, are replaced withconfiguration files with the correct permissions.

The modified configuration files are not replaced. In that case, for /etc/sysconfig/nftables.conf,an rpmnew file is created which has the correct permissions. For any files in /etc/nftables, norpmnew file is created, and the user must manually set the permissions. (BZ#1451404)

The Ready to read events are now correctly sent to an application when SENDER_DRY_EVENTS is enabledPreviously, when enabling the SENDER_DRY_EVENTS notifications or when the Stream ControlTransmission Protocol (SCTP) Partial Reliability triggered the removal of a chunk, the SCTP stackflagged an event that it was already generated and sent it to an application. However, the flag was notremoved afterwards. As a consequence, the application missed the ready to read event. With thisupdate, the stack does not flag the event in such cases anymore. As a result, the ready to readevents are now correctly dispatched to an application. (BZ#1442784)

SCTP statistics now availablePreviously, the stream control transmission protocol (SCTP) statistics parser could not handle the /proc/net/sctp/snmp source file. As a consequence, users were not able to see the statisticinformation. Parsing of the SCTP statistics has been fixed. As a result, the SCTP statistics are nowavailable to users. (BZ#1329338)

The firewalld service daemon no longer hangs in the rmmod processPreviously, some network device drivers, specifically some wi-fi and IP over InfiniBand Network Interface Cards (IPoIB NICs) drivers, held conntrack entries associated withuntracked packets for an unlimited amount of time. As a consequence, at removal time, the conntrackkernel module was in a busy loop waiting for these entries to be freed. This led to the rmmod nf_conntrack module consuming 100% of the CPU usage causing firewalld to hang at shutdowntime. With this update, the new kernel removes support for the notrack conntrack entries, and conntrack no longer waits for such entries to be freed. As a result, the firewalld shutdown no longerhangs. (BZ#1317099)


117



When firewalld starts, net.netfilter.nf_conntrack_max is no longer reset todefault if its configuration existsPreviously, firewalld reset the nf_conntrack settings to their default values when it was started orrestarted. As a consequence, the net.netfilter.nf_conntrack_max setting was restored to itsdefault value. With this update, each time firewalld starts, it reloads nf_conntrack sysctls as theyare configured in /etc/sysctl.conf and /etc/sysctl.d. As a result, net.netfilter.nf_conntrack_max maintains the user-configured value. (BZ#1462977)

Tomcat can now be started using tomcat-jsvc with SELinux in enforcing modeIn Red Hat Enterprise Linux 7.4, the tomcat_t unconfined domain was not correctly defined in the SELinux policy. Consequently, the Tomcat server cannot be started by the tomcat-jsvc service with SELinux in enforcing mode. This update allows the tomcat_t domain to use the dac_override, setuid, and kill capability rules. As a result, Tomcat is now able to start through tomcat-jsvc with SELinux in enforcing mode. (BZ#1470735)

SELinux now allows vdsm to communicate with lldpadPrior to this update, SELinux in enforcing mode denied the vdsm daemon to access lldpadinformation. Consequently, vdsm was not able to work correctly. With this update, a rule to allow a virtd_t domain to send data to a lldpad_t domain through the dgram socket has been added to theselinux-policy packages. As a result, vdsm labeled as virtd_t can now communicate with lldpadlabeled as lldpad_t if SELinux is set to enforcing mode. (BZ#1472722)

OpenSSH servers without Privilege Separation no longer crashPrior to this update, a pointer had been dereferenced before its validity was checked. Consequently, OpenSSH servers with the Privilege Separation option turned off crashed during the sessioncleanup. With this update, pointers are checked properly, and OpenSSH servers no longer crash whilerunning without Privilege Separation due the described bug.

Note that disabling OpenSSH Privilege Separation is not recommended. (BZ#1488083)

The clevis luks bind command no longer fails with the DISA STIG-compliantpassword policyPreviously, passwords generated as part of the clevis luks bind command were not compliant withthe Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG)password policy set in the pwquality.conf file. Consequently, clevis luks bind failed on DISASTIG-compliant systems in certain cases. With this update, passwords are generated using a utilitydesigned to generate random passwords that pass the password policy, and clevis luks bind nowsucceeds in the described scenario. (BZ#1500975)

WinSCP 5.10 now works properly with OpenSSHPreviously, OpenSSH incorrectly recognized WinSCP version 5.10 as older version 5.1. As aconsequence, the compatibility bits for WinSCP version 5.1 were enabled for WinSCP 5.10, and thenewer version did not work properly with OpenSSH. With this update, the version selectors have beenfixed, and WinSCP 5.10 now works properly with OpenSSH servers. (BZ#1496808)

SFTP no longer allows to create zero-length files in read-only modePrior to this update, the process_open function in the OpenSSH SFTP server did not properly preventwrite operations in read-only mode. Consequently, attackers were allowed to create zero-length files.With this update, the function has been fixed, and the SFTP server no longer allows any file creation inread-only mode. (BZ#1517226)

7.5 Release Notes

118







Internal buffer locks no longer cause deadlocks in libdbPreviously, the libdb database did not lock its internal buffers in the correct order when it accessedpages located in an off-page duplicate (OPD) tree while processing operations on a cursor. A writerprocess accessed first the primary tree and then the OPD tree while a reader process did the same in thereverse order. When a writer process accessed a page from the primary tree while a reader processaccessed a page from the OPD tree, the processes were unable to access the page from the other treebecause the pages were simultaneously locked by the other process. This consequently caused adeadlock in libdb because neither of the processes released their locks. With this update, the btreeversion of the cursor->get method has been modified to lock the tree's pages in the same order asthe writing methods, that is, the primary tree first and the OPD tree second. As a result, deadlocks in libdb no longer occur in the described scenario. (BZ#1349779)

Weekly log rotations are now triggered more predictablyWeekly log rotations were previously performed by the logrotate utility when exactly 7 days (604800seconds) elapsed since the last rotation. Consequently, if the logrotate command was triggered by acron job slightly sooner, the rotation was delayed until the next run. With this update, weekly logrotations ignore the exact time. As a result, when the day counter advances by 7 or more days since thelast rotation, a new rotation is triggered. (BZ#1465720)

ghostscript no longer crashes while processing large PDF filesPreviously, processing large PDF files could cause the ghostscript utility to terminate unexpectedlyunder certain rare circumstances. With this update, an internal ghostscript virtual machine limit, DEFAULT_VM_THRESHOLD, has been increased, and the described problem no longer occurs. Inaddition, processing of large files is now slightly faster. (BZ#1479852)

Converting large PDF files to PNG with ghostscript no longer failsDue to a bug in the upstream source code, converting large PDF files to the PNG format using the ghostscript utility failed under certain rare circumstances. This bug has been fixed, and the describedproblem no longer occurs. (BZ#1473337)

krfb no longer crashes when unable to bind to an IPv6 portPreviously, connecting to the krfb application with a VNC client when krfb could not bind to an IPv6port, krfb terminated unexpectedly. This update fixes the improper handling of uninitialized IPv6 socket,and applications built on the libvncserver library now deal with the unsuccessful attempt to listen on anIPv6 port correctly. (BZ#1314814)

mod_nss properly detects the threading model in Apache to improve performancePreviously, the mod_nss module was not detecting the threading model properly in Apache.Consequently, users experienced slower performance because the TLS Session ID was not maintainedacross handshakes and a new session ID was generated for each handshake. This update fixes thethreading model detection. As a result, TLS Session IDs are now properly cached, which eliminates thedescribed performance problems. (BZ#1461580)

atd no longer runs with 100% CPU utilization nor fills system logPreviously, the atd daemon of the at utility handled incorrectly some types of broken jobs, particularlyjobs of non-existent users. As a consequence, atd used up all available CPU resources and filled thesystem log by messages sent with unlimited frequency. With this update, the handling of the broken jobsby atd has been fixed and the problem does not occur anymore. (BZ#1481355)

ReaR now provides a more helpful error message when grub2-efi-x64-modules ismissing


119




Previously, an attempt to create a ReaR backup on UEFI systems using the rear mkrescue and rear mkbackup commands failed due to a missing grub2-efi-x64-modules package, which is not installed bydefault but is required by ReaR to generate a GRUB image. The commands failed with the following errormessage:

ERROR: Error occurred during grub2-mkimage of BOOTX64.efi

This message proved to be confusing and unhelpful. With this update, the error will still appear in thesame circumstances, but it will point out how to fix the problem:

WARNING: /usr/lib/grub/x86_64-efi/moddep.lst not found, grub2-mkimage will likely fail. Please install the grub2-efi-x64-modules package to fix this.

As the updated message explains, you must install the missing grub2-efi-x64-modules package beforeyou can create a ReaR backup on a system with UEFI firmware. (BZ#1492177)

ReaR no longer fails to determine disk size during a mkrescue operationPreviously, the ReaR (Relax-and-Recover) utility sometimes encountered a failure while queryingpartition sizes when saving the disk layout due to a race condition with udev. As a consequence, the mkrescue operation failed with the following message:

ERROR: BUG BUG BUG! Could not determine size of disk

Therefore it was not possible to create the rescue image. The bug has been fixed, and rescue imagecreation now works as expected. (BZ#1388653)

ReaR no longer requires dosfsck and efibootmgr on non-UEFI systemsPreviously, ReaR (Relax-and-Recover) incorrectly required the dosfsck and efibootmgr utilitiesinstalled on systems that do not use UEFI. As a consequence, if the utilities were missing, the rear mkrescue command failed with an error. This bug has been fixed, and ReaR now requires thementioned utilities to be installed only on UEFI systems. (BZ#1479002)

ReaR no longer fails with NetBackup and has more reliable network configurationPreviously, two problems in the startup procedure of the rescue system caused the ReaR (Relax-and-Recover) restore process to fail when using the NetBackup method. The system's init scripts weresourced instead of executed when used by ReaR. As a consequence, the NetBackup init script abortedthe system-setup process. Additionally, processes created by the system setup were immediatelyterminated. This affected the dhclient tool as well, and in some cases caused an IP address conflict.With this update, both bugs have been fixed. As a result, ReaR works properly with the NetBackupmethod, and network configuration using DHCP is more reliable. (BZ#1506231)

ReaR recovery no longer fails when backup integrity checking is enabledPreviously, if ReaR (Relax-and-Recover) was configured to use backup integrity checking(BACKUP_INTEGRITY_CHECK=1), the recovery process always failed because the md5sum commandcould not find the backup archive. This bug has been fixed, and the described problem no longer occurs.(BZ#1532676)

7.5 Release Notes

120






CHAPTER 35. STORAGE

DM Multipath no longer crashes when adding a feature to an empty stringPreviously, the DM Multipath service terminated unexpectedly when it attempted to add a feature to thefeatures string of a built-in device configuration that had no features string. With this update, DMMultipath first checks if the features string exists, and creates one if necessary. As a result, DM Multipathno longer crashes when trying to modify a nonexistent features string. (BZ#1459370)

I/O operations no longer hang with RAID1Previously, the kernel did not handle Multiple Devices (MD) I/O errors properly in dm-raid. As aconsequence, the I/O sometimes became unresponsive. With this update, dm-raid now handles I/Oerrors correctly, and I/O operations no longer hang with RAID1. (BZ#1506338)

CHAPTER 35. STORAGE

121



Yum no longer crashes in certain nss and nspr update scenarioPreviously, when the yum installer updated a certain combination of nss and nspr package versions, thetransaction sometimes terminated prematurely due to a following symbol lookup error:

/lib64/libnsssysinit.so: undefined symbol: PR_GetEnvSecure

This then caused stale rpm locks. Yum has been updated to correctly deal with this particular nss andnspr update scenario. As a result, yum does not terminate anymore in the described scenario.(BZ#1458841)

The fastestmirror plug-in now orders mirrors before the metadata downloadPreviously, when the yum installer ran for the first time after a cache cleanup, the fastestmirror plug-in did not select the fastest mirror before metadata download. This sometimes caused a delay if somemirrors were slow or unavailable. With this update, the fastestmirror plug-in has been modified tohave effect on mirror selection before metadata download. As a result, the mirrors are polled andarranged before metadata download, which prevents such delays. (BZ#1428210)

The package-cleanup script no longer removes package dependencies of non-duplicatesPreviously, running the package-cleanup script with the --cleandupes option also removedpackages that depended on duplicates. Consequently, some packages were removed unintentionally.With this update, the package-cleanup script has been fixed to skip package dependencies of non-duplicates. Instead, the package-cleanup script prints a warning with a suggestion of a workaround.(BZ#1455318)

rhnsd.pid is now writable only by the ownerIn Red Hat Enterprise Linux 7.4, the default permissions of the /var/run/rhnsd.pid file werechanged to -rw-rw-rw-.. This setting was not secure. With this update, the change has been reverted,and the default permissions of /var/run/rhnsd.pid are now -rw-r--r--.. (BZ#1480306)

rhn_check now correctly reports system reboots to SatellitePreviously, if a system reboot of a Satellite client occurred during a rhn_check run, rhn_check did notreport its termination to Satellite. Consequently, the status of rhn_check in Satellite did not update. Withthis update, this incorrect behavior is fixed and rhn_check now handles system reboots and reports thecorrect status to Satellite. (BZ#1494389)

The rpm rhnlib -qi command now refers to the current upstream project websitePreviously, the RPM information of the rhnlib package incorrectly referred to a deprecated upstreamproject website. With this update, the rpm rhnlib -qi command displays the URL of the currentupstream project website. (BZ#1503953)

Kernel installations using rhnsd complete successfullyIf a kernel installation scheduled by the kernel was run using the Red Hat Network Daemon (rhnsd),the installation of the kernel sometimes stopped before completion. This issue has been fixed and kernelinstallations using rhnsd now complete successfully. (BZ#1475039)

rhn_check no longer modifies permissions on files in /var/cache/yum/Previously, when the Red Hat Network Daemon (rhnsd) executed the rhn_check command, thecommand modified permissions on the files in the /var/cache/yum/ directory incorrectly, resulting ina vulnerability. This bug has been fixed and rhn_check no longer modifies permissions on the files in

7.5 Release Notes

122






the /var/cache/yum/ directory. (BZ#1489989)

subscription-manager reports an RPM package if its vendor contains non-UTF8charactersPreviously, the subscription-manager utility assumed UTF-8 data in the RPM package vendor field.Consequently, if an RPM installed on the system contained a vendor with non-UTF8 characters, the subscription-manager failed to report the packages. With this update, the subscription-manager has been updated to ignore encoding issues in the RPM package vendor field. As a result, subscription-manager reports a package profile correctly even if the installed RPM has a non-UTF8vendor. (BZ#1519512)

subscription-manager now works with proxies that expect the Host headerPreviously, the subscription-manager utility was not compatible with proxies that expect the Hostheader because it did not include the Host header when connecting. With this update, subscription-manager includes the Host header when connecting and is compatible with these proxies.(BZ#1507158)

subscription-manager assigns valid IPv4 addresses to network.ipv4_address evenif initial DNS resolution failsPreviously, when the subscription-manager utility failed to resolve the IPv4 address of a system, itincorrectly assigned the loopback interface address 127.0.0.1 for the network.ipv4_address fact.This occurred even when there was a valid interface with a valid IP address. With this update, if subscription-manager fails to resolve the IPv4 address of a system, it gathers IPv4 addresses fromall interfaces except the loopback interface and assigns the valid IPv4 addresses for the network.ipv4_address fact. (BZ#1476817)

virt-who ensures that provided options fit the same virtualization typeWith this update, the virt-who utility ensures that all command-line options provided by the user arecompatible with the intended virtualization type. In addition, if virt-who detects an incompatible option,it provides a corresponding error message. (BZ#1461417)

virt-who configuration no longer resets on upgrade or reinstallPreviously, upgrading or reinstalling virt-who reset the configuration of the /etc/virt-who.conffile to default values. This update changes the packaging of virt-who to prevent overwritingconfiguration files, which ensures the described problem no longer occurs. (BZ#1485865)

virt-who now reads the 'address' field provided by RHEVM to discover and reportthe correct host namePreviously, if the virt-who utility reported on a Red Hat Virtualization (RHV) host and the hypervisor_id=hostname option was used, virt-who displayed an incorrect host name value. Thisupdate ensures that virt-who reads the correct field value in the described circumstances and as aresult, the proper host name is displayed. (BZ#1389729)


123








Guests no longer shut down unexpectedly during rebootOn a Red Hat Enterprise Linux 7.4 guest running on qemu-kvm-1.5.3-139.el7, if the i6300esb watchdog was set to poweroff, the watchdog was triggered when shutting down due to the timeoutbeing calculated incorrectly. Consequently, when rebooting the guest, it shut down instead. With thisupdate, the timeout calculations in qemu-kvm have been corrected. As a result, the virtual machinereboots properly. (BZ#1470244)

Guests accessed using a serial console no longer become unresponsivePreviously, if a client opened a host-side pseudoterminal device (pty) on a KVM guest pty serial consoleand did not read from it, the guest in some cases became unresponsive because because of blockingread/write calls. With this update, the host-side pty open mode was set to non-blocking. As a result, theguest machine does not become unresponsive in the described scenario. (BZ#1455451)

virt-v2v now warns about not converting PCI passthrough devicesThe virt-v2v utility currently cannot convert PCI passthrough devices and thus ignores them in theconversion process. Prior to this update, however, attempting to convert a guest virtual machine with aPCI passthrough device successfully converted the guest, but did not provide any warning about theignored PCI passthrough device. Now, converting such a guest logs an appropriate warning messageduring the conversion. (BZ#1472719)

When importing OVAs, virt-v2v now parses MAC addressesPreviously, the virt-v2v utility did not parse the MAC addresses of network interfaces when importingOpen Virtual Appliances (OVAs). Consequently, the converted guest virtual machines had networkinterfaces with different MAC addresses, resulting in the network setup breaking. With this release, virt-v2v parses the MAC addresses, if available, of network interfaces when importing OVAs. As aresult, network converted guests have the same MAC addresses as specified in the OVAs and thenetwork setup does not break. (BZ#1506572)

7.5 Release Notes

124






This part provides a list of all Technology Previews available in Red Hat Enterprise Linux 7.5.

For information on Red Hat scope of support for Technology Preview features, seehttps://access.redhat.com/support/offerings/techpreview/.


125

https://access.redhat.com/support/offerings/techpreview/


The systemd-importd VM and container image import and export serviceLatest systemd version now contains the systemd-importd daemon that was not enabled in theearlier build, which caused the machinectl pull-* commands to fail. Note that the systemd-importd daemon is offered as a Technology Preview and should not be considered stable.(BZ#1284974)

7.5 Release Notes

126



Use of AD and LDAP sudo providersThe Active Directory (AD) provider is a back end used to connect to an AD server. Starting with Red HatEnterprise Linux 7.2, using the AD sudo provider together with the LDAP provider is available as aTechnology Preview. To enable the AD sudo provider, add the sudo_provider=ad setting in the[domain] section of the sssd.conf file. (BZ#1068725)

DNSSEC available as Technology Preview in IdMIdentity Management (IdM) servers with integrated DNS now support DNS Security Extensions(DNSSEC), a set of extensions to DNS that enhance security of the DNS protocol. DNS zones hosted onIdM servers can be automatically signed using DNSSEC. The cryptographic keys are automaticallygenerated and rotated.

Users who decide to secure their DNS zones with DNSSEC are advised to read and follow thesedocuments:

DNSSEC Operational Practices, Version 2: http://tools.ietf.org/html/rfc6781#section-2

Secure Domain Name System (DNS) Deployment Guide:http://dx.doi.org/10.6028/NIST.SP.800-81-2

DNSSEC Key Rollover Timing Considerations: http://tools.ietf.org/html/rfc7583

Note that IdM servers with integrated DNS use DNSSEC to validate DNS answers obtained from otherDNS servers. This might affect the availability of DNS zones that are not configured in accordance withrecommended naming practices described in the Red Hat Enterprise Linux Networking Guide:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices. (BZ#1115294)

Identity Management JSON-RPC API available as Technology PreviewAn API is available for Identity Management (IdM). To view the API, IdM also provides an API browser asTechnology Preview.

In Red Hat Enterprise Linux 7.3, the IdM API was enhanced to enable multiple versions of APIcommands. Previously, enhancements could change the behavior of a command in an incompatibleway. Users are now able to continue using existing tools and scripts even if the IdM API changes. Thisenables:

Administrators to use previous or later versions of IdM on the server than on the managing client.

Developers to use a specific version of an IdM call, even if the IdM version changes on theserver.

In all cases, the communication with the server is possible, regardless if one side uses, for example, anewer version that introduces new options for a feature.

For details on using the API, see https://access.redhat.com/articles/2728021 (BZ#1298286)

The Custodia secrets service provider is now availableAs a Technology Preview, you can now use Custodia, a secrets service provider. Custodia stores orserves as a proxy for secrets, such as keys or passwords.

For details, see the upstream documentation at http://custodia.readthedocs.io. (BZ#1403214)


127


http://tools.ietf.org/html/rfc6781#section-2

http://dx.doi.org/10.6028/NIST.SP.800-81-2

http://tools.ietf.org/html/rfc7583

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Host_Names.html#sec-Recommended_Naming_Practices




http://custodia.readthedocs.io


Containerized Identity Management server available as Technology PreviewThe rhel7/ipa-server container image is available as a Technology Preview feature. Note that the rhel7/sssd container image is now fully supported.

For details, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/using_containerized_identity_management_services. (BZ#1405325, BZ#1405326)

7.5 Release Notes

128

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/using_containerized_identity_management_services



The pcs tool now manages bundle resources in PacemakerAs a Technology Preview starting with Red Hat Enterprise Linux 7.4, the pcs tool supports bundleresources. You can now use the pcs resource bundle create and the pcs resource bundle update commands to create and modify a bundle. You can add a resource to an existing bundle withthe pcs resource create command. For information on the parameters you can set for a bundleresource, run the pcs resource bundle --help command. (BZ#1433016)

New fence-agents-heuristics-ping fence agentAs a Technology Preview, Pacemaker now supports the fence_heuristics_ping agent. This agentaims to open a class of experimental fence agents that do no actual fencing by themselves but insteadexploit the behavior of fencing levels in a new way.

If the heuristics agent is configured on the same fencing level as the fence agent that does the actualfencing but is configured before that agent in sequence, fencing issues an off action on the heuristicsagent before it attempts to do so on the agent that does the fencing. If the heuristics agent gives anegative result for the off action it is already clear that the fencing level is not going to succeed, causingPacemaker fencing to skip the step of issuing the off action on the agent that does the fencing. Aheuristics agent can exploit this behavior to prevent the agent that does the actual fencing from fencing anode under certain conditions.

A user might want to use this agent, especially in a two-node cluster, when it would not make sense for anode to fence the peer if it can know beforehand that it would not be able to take over the servicesproperly. For example, it might not make sense for a node to take over services if it has problemsreaching the networking uplink, making the services unreachable to clients, a situation which a ping to arouter might detect in that case. (BZ#1476401)

Heuristics supported in corosync-qdevice as a Technology PreviewHeuristics are a set of commands executed locally on startup, cluster membership change, successfulconnect to corosync-qnetd, and, optionally, on a periodic basis. When all commands finishsuccessfully on time (their return error code is zero), heuristics have passed; otherwise, they have failed.The heuristics result is sent to corosync-qnetd where it is used in calculations to determine whichpartition should be quorate. (BZ#1413573, BZ#1389209)


129




CHAPTER 41. DESKTOP

Wayland available as a Technology PreviewThe Wayland display server protocol is now available in Red Hat Enterprise Linux as a TechnologyPreview. This update adds the dependent packages required to enable Wayland support in GNOME,which supports fractional scaling. Wayland uses the libinput library as its input driver.

The following features are currently unavailable or do not work correctly:

Multiple GPU support is impossible.

The NVIDIA binary driver does not work under Wayland.

The xrandr utility does not work under Wayland due to its different approach to handling,resolutions, rotations, and layout.

Screen recording, remote desktop, and accessibility do not always work correctly under Wayland.

No clipboard manager is available.

It is impossible to restart GNOME Shell under Wayland.

Wayland ignores keyboard grabs issued by X11 applications, such as virtual machines viewers.(BZ#1481411)

Fractional Scaling available as a Technology PreviewStarting with Red Hat Enterprise Linux 7.5, GNOME provides, as a Technology Preview, fractionalscaling to address problems with monitors whose DPI lies in the middle between lo (scale 1) and hi(scale 2).

Due to technical limitations, fractional scaling is available only on Wayland. (BZ#1481395)

7.5 Release Notes

130



The CephFS kernel client is now availableStarting with Red Hat Enterprise Linux 7.3, the Ceph File System (CephFS) kernel module enables, as aTechnology Preview, Red Hat Enterprise Linux nodes to mount Ceph File Systems from Red Hat CephStorage clusters. The kernel client in Red Hat Enterprise Linux is a more efficient alternative to theFilesystem in Userspace (FUSE) client included with Red hat Ceph Storage. Note that the kernel clientcurrently lacks support for CephFS quotas. For more information, see the Ceph File System Guide forRed Hat Ceph Storage 2: https://access.redhat.com/documentation/en/red-hat-ceph-storage/2/single/ceph-file-system-guide-technology-preview (BZ#1205497)

ext4 and XFS file systems now support DAXStarting with Red Hat Enterprise Linux 7.3, Direct Access (DAX) provides, as a Technology Preview, ameans for an application to directly map persistent memory into its address space. To use DAX, asystem must have some form of persistent memory available, usually in the form of one or more Non-Volatile Dual In-line Memory Modules (NVDIMMs), and a file system that supports DAX must be createdon the NVDIMM(s). Also, the file system must be mounted with the dax mount option. Then, an mmap ofa file on the dax-mounted file system results in a direct mapping of storage into the application's addressspace. (BZ#1274459)

pNFS block layout is now availableAs a Technology Preview, Red Hat Enterprise Linux clients can now mount pNFS shares with the blocklayout feature.

Note that Red Hat recommends using the pNFS SCSI layout instead, which is similar to block layout buteasier to use. (BZ#1111712)

pNFS SCSI layout is now available for client and serverClient and server support for parallel NFS (pNFS) SCSI layouts is provided as a Technology Previewstarting with Red Hat Enterprise Linux 7.3. Building on the work of block layouts, the pNFS layout isdefined across SCSI devices and contains sequential series of fixed-size blocks as logical units that mustbe capable of supporting SCSI persistent reservations. The Logical Unit (LU) devices are identified bytheir SCSI device identification, and fencing is handled through the assignment of reservations.(BZ#1305092)

OverlayFSOverlayFS is a type of union file system. It allows the user to overlay one file system on top of another.Changes are recorded in the upper file system, while the lower file system remains unmodified. Thisallows multiple users to share a file-system image, such as a container or a DVD-ROM, where the baseimage is on read-only media. Refer to the kernel file Documentation/filesystems/overlayfs.txt foradditional information.

OverlayFS remains a Technology Preview in Red Hat Enterprise Linux 7.5 under most circumstances.As such, the kernel will log warnings when this technology is activated.

Full support is available for OverlayFS when used with Docker under the following restrictions:

OverlayFS is only supported for use as a Docker graph driver. Its use can only be supported forcontainer COW content, not for persistent storage. Any persistent storage must be placed onnon-OverlayFS volumes to be supported. Only default Docker configuration can be used; that is,one level of overlay, one lowerdir, and both lower and upper levels are on the same file system.

Only XFS is currently supported for use as a lower layer file system.

On Red Hat Enterprise Linux 7.3 and earlier, SELinux must be enabled and in enforcing modeon the physical machine, but must be disabled in the container when performing container


131

https://access.redhat.com/documentation/en/red-hat-ceph-storage/2/single/ceph-file-system-guide-technology-preview

separation, that is the /etc/sysconfig/docker file must not contain --selinux-enabled.Starting with Red Hat Enterprise Linux 7.4, OverlayFS supports SELinux security labels, and youcan enable SELinux support for containers by specifying --selinux-enabled in /etc/sysconfig/docker.

The OverlayFS kernel ABI and userspace behavior are not considered stable, and may seechanges in future updates.

In order to make the yum and rpm utilities work properly inside the container, the user should beusing the yum-plugin-ovl packages.

Note that OverlayFS provides a restricted set of the POSIX standards. Test your application thoroughlybefore deploying it with OverlayFS.

Note that XFS file systems must be created with the -n ftype=1 option enabled for use as an overlay.With the rootfs and any file systems created during system installation, set the --mkfsoptions=-n ftype=1 parameters in the Anaconda kickstart. When creating a new file system after the installation,run the # mkfs -t xfs -n ftype=1 /PATH/TO/DEVICE command. To determine whether anexisting file system is eligible for use as an overlay, run the # xfs_info /PATH/TO/DEVICE | grep ftype command to see if the ftype=1 option is enabled.

There are also several known issues associated with OverlayFS as of Red Hat Enterprise Linux 7.5release. For details, see Non-standard behavior in the Documentation/filesystems/overlayfs.txt file. (BZ#1206277)

Btrfs file systemThe Btrfs (B-Tree) file system is available as a Technology Preview in Red Hat Enterprise Linux 7.

Red Hat Enterprise Linux 7.4 introduced the last planned update to this feature. Btrfs has beendeprecated, which means Red Hat will not be moving Btrfs to a fully supported feature and it will beremoved in a future major release of Red Hat Enterprise Linux. (BZ#1477977)

New package: ima-evm-utilsThe ima-evm-utils package provides utilities to label the file system and verify the integrity of your systemat run time using the Integrity Measurement Architecture (IMA) and Extended Verification Module (EVM)features. These utilities enable you to monitor if files have been accidentally or maliciously altered.

The ima-evm-utils package is now available as a Technology Preview. (BZ#1384450)

7.5 Release Notes

132


LSI Syncro CS HA-DAS adaptersRed Hat Enterprise Linux 7.1 included code in the megaraid_sas driver to enable LSI Syncro CS high-availability direct-attached storage (HA-DAS) adapters. While the megaraid_sas driver is fully supportedfor previously enabled adapters, the use of this driver for Syncro CS is available as a TechnologyPreview. Support for this adapter is provided directly by LSI, your system integrator, or system vendor.Users deploying Syncro CS on Red Hat Enterprise Linux 7.2 and later are encouraged to providefeedback to Red Hat and LSI. For more information on LSI Syncro CS solutions, please visithttp://www.lsi.com/products/shared-das/pages/default.aspx. (BZ#1062759)

tss2 enables TPM 2.0 for IBM Power LEThe tss2 package adds IBM implementation of a Trusted Computing Group Software Stack (TSS) 2.0 asa Technology Preview for the IBM Power LE architecture. This package enables users to interact withTPM 2.0 devices. (BZ#1384452)

ibmvnic Device DriverStarting with Red Hat Enterprise Linux 7.3, the ibmvnic Device Driver has been available as aTechnology Preview for IBM POWER architectures. vNIC (Virtual Network Interface Controller) is aPowerVM virtual networking technology that delivers enterprise capabilities and simplifies networkmanagement. It is a high-performance, efficient technology that when combined with SR-IOV NICprovides bandwidth control Quality of Service (QoS) capabilities at the virtual NIC level. vNIC significantlyreduces virtualization overhead, resulting in lower latencies and fewer server resources, including CPUand memory, required for network virtualization. (BZ#1391561, BZ#947163)


133

http://www.lsi.com/products/shared-das/pages/default.aspx


CHAPTER 44. KERNEL

Heterogeneous memory management included as a Technology PreviewRed Hat Enterprise Linux 7.3 introduced the heterogeneous memory management (HMM) feature as aTechnology Preview. This feature has been added to the kernel as a helper layer for devices that want tomirror a process address space into their own memory management unit (MMU). Thus a non-CPUdevice processor is able to read system memory using the unified system address space. To enable thisfeature, add experimental_hmm=enable to the kernel command line. (BZ#1230959)

criu rebased to version 3.5Red Hat Enterprise Linux 7.2 introduced the criu tool as a Technology Preview. This tool implements Checkpoint/Restore in User-space (CRIU), which can be used to freeze a running applicationand store it as a collection of files. Later, the application can be restored from its frozen state.

Note that the criu tool depends on Protocol Buffers, a language-neutral, platform-neutralextensible mechanism for serializing structured data. The protobuf and protobuf-c packages, whichprovide this dependency, were also introduced in Red Hat Enterprise Linux 7.2 as a TechnologyPreview.

In Red Hat Enterprise Linux 7.5, the criu packages have been upgraded to upstream version 3.5, whichprovides a number of bug fixes and enhancements. In addition, support for IBM z Systems and the 64-bitARM architecture has been added. (BZ#1400230, BZ#1464596)

kexec as a Technology PreviewThe kexec system call has been provided as a Technology Preview. This system call enables loadingand booting into another kernel from the currently running kernel, thus performing the function of the bootloader from within the kernel. Hardware initialization, which is normally done during a standard systemboot, is not performed during a kexec boot, which significantly reduces the time required for a reboot.(BZ#1460849)

kexec fast reboot as a Technology PreviewAs a Technology Preview, this update adds the kexec fast reboot feature, which makes the rebootsignificantly faster. To use this feature, you must load the kexec kernel manually, and then reboot theoperating system. It is not possible to make kexec fast reboot as the default reboot action.

Special case is using kexec fast reboot for Anaconda. It still does not enable to make kexec fast reboot default. However, when used with Anaconda, the operating system can automaticallyuse kexec fast reboot after the installation is complete in case that user boots kernel with theanaconda option. To schedule a kexec reboot, use the inst.kexec command on the kernel commandline, or include a reboot --kexec line in the Kickstart file. (BZ#1464377)

Unprivileged access to name spaces can be enabled as a Technology PreviewYou can now set the namespace.unpriv_enable kernel command-line option if required, as aTechnology Preview.

The default setting is off.

When set to 1, issuing a call to the clone() function with the flag CLONE_NEWNS as an unprivileged userno longer returns an error and allows the operation.

However, to enable the unprivileged access to name spaces, the CAP_SYS_ADMIN flag has to be set insome user name space to create a mount name space. (BZ#1350553)

SCSI-MQ as a Technology Preview in the qla2xxx driver

7.5 Release Notes

134


The qla2xxx& driver updated in Red Hat Enterprise Linux 7.4 can now enable the use of SCSI-MQ(multiqueue) with the ql2xmqsupport=1 module parameter. The default value is 0 (disabled). TheSCSI-MQ functinality is provided as a Technology Preview when used with the qla2xxx driver.

Note that a recent performance testing at Red Hat with async IO over Fibre Channel adapters usingSCSI-MQ has shown significant performance degradation under certain conditions. A fix is being testedbut was not ready in time for Red Hat Enterprise Linux 7.4 General Availability. (BZ#1414957)

NVMe over Fibre Channel is now available as a Technology PreviewThe NVMe over Fibre Channel transport type is now available as a Technology Preview. NVMe overFibre Channel is an additional fabric transport type for the Nonvolatile Memory Express (NVMe) protocol,in addition to the Remote Direct Memory Access (RDMA) protocol that was previously introduced in RedHat Enterprise Linux.

To enable NVMe over Fibre Channel in the lpfc driver, edit the /etc/modprobe.d/lpfc.conf fileand add one or both of the following options:

To enable the NVMe mode of operation, add the lpfc_enable_fc4_type=3 option.

To enable target mode, add the lpfc_enable_nvmet=<wwpn list> option, where <wwpn list> is a comma-separated list of World-Wide Port Name (WWPN) values with the 0x prefix.

To configure an NVMe target, use the nvmetcli utility.

NVMe over Fibre Channel provides a higher-performance, lower-latency I/O protocol over existing FibreChannel infrastructure. This is especially important with solid-state storage arrays, because it allows theperformance benefits of NVMe storage to be passed through the fabric transport, rather than beingencapsulated in a different protocol, SCSI.

In Red Hat Enterprise Linux 7.5, NVMe over Fibre Channel is available only with Broadcom 32Gbitadapters, which use the lpfc driver. (BZ#1387768, BZ#1454386)

perf cqm has been replaced by resctrlThe Intel Cache Allocation Technology (CAT) was introduced in Red Hat Enterprise Linux 7.4 as aTechnology Preview. However, the perf cqm tool did not work correctly due to an incompatibilitybetween perf infrastructure and Cache Quality of Service Monitoring (CQM) hardware support.Consequently, multiple problems occurred when using perf cqm.

These problems included most notably:

perf cqm did not support the group of tasks which is allocated using resctrl

perf cqm gave random and inaccurate data due to several problems with recycling

perf cqm did not provide enough support when running different kinds of events together (thedifferent events are, for example, tasks, system-wide, and cgroup events)

perf cqm provided only partial support for cgroup events

The partial support for cgroup events did not work in cases with a hierarchy of cgroup events, orwhen monitoring a task in a cgroup and the cgroup together

Monitoring tasks for the lifetime caused perf overhead

perf cqm reported the aggregate cache occupancy or memory bandwidth over all sockets,while in most cloud and VMM-bases use cases the individual per-socket usage is needed

CHAPTER 44. KERNEL

135


With this update, perf cqm has been replaced by the approach based on the resctrl file system,which address all of the aforementioned problems. (BZ#1457533, BZ#1288964)

7.5 Release Notes

136


CHAPTER 45. REAL-TIME KERNEL

The SCHED_DEADLINE scheduler class as Technology PreviewThe SCHED_DEADLINE scheduler class for the real-time kernel, which was introduced in Red HatEnterprise Linux 7.4, continues to be available as a Technology Preview. The scheduler enablespredictable task scheduling based on application deadlines. SCHED_DEADLINE benefits periodicworkloads by reducing application timer manipulation. (BZ#1297061)

CHAPTER 45. REAL-TIME KERNEL

137


Cisco usNIC driverCisco Unified Communication Manager (UCM) servers have an optional feature to provide a Ciscoproprietary User Space Network Interface Controller (usNIC), which allows performing Remote DirectMemory Access (RDMA)-like operations for user-space applications. The libusnic_verbs driver, which isavailable as a Technology Preview, makes it possible to use usNIC devices via standard InfiniBandRDMA programming based on the Verbs API. (BZ#916384)

Cisco VIC kernel driverThe Cisco VIC Infiniband kernel driver, which is available as a Technology Preview, allows the use ofRemote Directory Memory Access (RDMA)-like semantics on proprietary Cisco architectures.(BZ#916382)

Trusted Network ConnectTrusted Network Connect, available as a Technology Preview, is used with existing network accesscontrol (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; thatis, collecting an endpoint's system information (such as operating system configuration settings, installedpackages, and others, termed as integrity measurements). Trusted Network Connect is used to verifythese measurements against network access policies before allowing the endpoint to access thenetwork. (BZ#755087)

SR-IOV functionality in the qlcnic driverSupport for Single-Root I/O virtualization (SR-IOV) has been added to the qlcnic driver as a TechnologyPreview. Support for this functionality will be provided directly by QLogic, and customers are encouragedto provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fullysupported. (BZ#1259547)

The libnftnl and nftables packagesStarting with Red Hat Enterprise Linux 7.3., the nftables and libnftl packages are available as aTechnology Preview.

The nftables packages provide a packet-filtering tool, with numerous improvements in convenience,features, and performance over previous packet-filtering tools. It is the designated successor to the iptables, ip6tables, arptables, and ebtables utilities.

The libnftnl packages provide a library for low-level interaction with nftables Netlink's API over the libmnl library. (BZ#1332585)

The flower classifier with off-loading supportflower is a Traffic Control (TC) classifier intended to allow users to configure matching on well-knownpacket fields for various protocols. It is intended to make it easier to configure rules over the u32classifier for complex filtering and classification tasks. flower also supports the ability to off-loadclassification and action rules to underlying hardware if the hardware supports it. The flower TCclassifier is now provided as a Technology Preview. (BZ#1393375)

7.5 Release Notes

138

CHAPTER 47. RED HAT ENTERPRISE LINUX SYSTEM ROLESPOWERED BY ANSIBLE

Red Hat Enterprise Linux System RolesRed Hat Enterprise Linux System Roles, available as a Technology Preview, is a configuration interfacefor Red Hat Enterprise Linux subsystems, which makes system configuration easier through the inclusionof Ansible Roles. This interface enables managing system configurations across multiple versions ofRed Hat Enterprise Linux, as well as adopting new major releases.

Since Red Hat Enterprise Linux 7.4, the Red Hat Enterprise Linux System Roles packages have beendistributed through the Extras channel. For details regarding Red Hat Enterprise Linux System Roles,see https://access.redhat.com/articles/3050101. (BZ#1313263)

CHAPTER 47. RED HAT ENTERPRISE LINUX SYSTEM ROLES POWERED BY ANSIBLE

139




USBGuard enables blocking USB devices while the screen is locked as aTechnology PreviewWith the USBGuard framework, you can influence how an already running usbguard-daemon instancehandles newly inserted USB devices by setting the value of the InsertedDevicePolicy runtimeparameter. This functionality is provided as a Technology Preview, and the default choice is to apply thepolicy rules to figure out whether to authorize the device or not.

See the Blocking USB devices while the screen is locked Knowledge Base article:https://access.redhat.com/articles/3230621 (BZ#1480100)

pk12util can now import certificates signed with RSA-PSSThe pk12util tool now provides importing a certificate signed with the RSA-PSS algorithm as aTechnology Preview.

Note that if the corresponding private key is imported and has the PrivateKeyInfo.privateKeyAlgorithm field that restricts the signing algorithm to RSA-PSS, it isignored when importing the key to a browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1413596for more information. (BZ#1431210)

Support for certificates signed with RSA-PSS in certutil has been improvedSupport for certificates signed with the RSA-PSS algorithm in the certutil tool has been improved.Notable enhancements and fixes include:

The --pss option is now documented.

The PKCS#1 v1.5 algorithm is no longer used for self-signed signatures when a certificate isrestricted to use RSA-PSS.

Empty RSA-PSS parameters in the subjectPublicKeyInfo field are no longer printed asinvalid when listing certificates.

The --pss-sign option for creating regular RSA certificates signed with the RSA-PSSalgorithm has been added.

Support for certificates signed with RSA-PSS in certutil is provided as a Technology Preview.(BZ#1425514)

NSS is now able to verify RSA-PSS signatures on certificatesWith the new version of the nss package, the Network Security Services (NSS) libraries nowprovide verifying RSA-PSS signatures on certificates as a Technology Preview. Prior to this update,clients using NSS as the SSL backend were not able to establish a TLS connection to a server thatoffered only certificates signed with the RSA-PSS algorithm.

Note that the functionality has the following limitations:

The algorithm policy settings in the /etc/pki/nss-legacy/rhel7.config file do not applyto the hash algorithms used in RSA-PSS signatures.

RSA-PSS parameters restrictions between certificate chains are ignored and only a singlecertificate is taken into account. (BZ#1432142)

SECCOMP can be now enabled in libreswan

7.5 Release Notes

140


https://bugzilla.mozilla.org/show_bug.cgi?id=1413596




As a Technology Preview, the seccomp=enabled|tolerant|disabled option has been added tothe ipsec.conf configuration file, which makes it possible to use the Secure Computing mode(SECCOMP). This improves the syscall security by whitelisting all the system calls that Libreswan isallowed to execute. For more information, see the ipsec.conf(5) man page. (BZ#1375750)


141


CHAPTER 49. STORAGE

Multi-queue I/O scheduling for SCSIRed Hat Enterprise Linux 7 includes a new multiple-queue I/O scheduling mechanism for block devicesknown as blk-mq. The scsi-mq package allows the Small Computer System Interface (SCSI) subsystemto make use of this new queuing mechanism. This functionality is provided as a Technology Preview andis not enabled by default. To enable it, add scsi_mod.use_blk_mq=Y to the kernel command line.

Although blk-mq is intended to offer improved performance, particularly for low-latency devices, it is notguaranteed to always provide better performance. In particular, in some cases, enabling scsi-mq canresult in significantly worse performance, especially on systems with many CPUs. (BZ#1109348)

Targetd plug-in from the libStorageMgmt APISince Red Hat Enterprise Linux 7.1, storage array management with libStorageMgmt, a storage arrayindependent API, has been fully supported. The provided API is stable, consistent, and allowsdevelopers to programmatically manage different storage arrays and utilize the hardware-acceleratedfeatures provided. System administrators can also use libStorageMgmt to manually configure storageand to automate storage management tasks with the included command-line interface.

The Targetd plug-in is not fully supported and remains a Technology Preview. (BZ#1119909)

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)DIF/DIX is a new addition to the SCSI Standard. It is fully supported in Red Hat Enterprise Linux 7 for theHBAs and storage arrays specified in the Features chapter, but it remains in Technology Preview for allother HBAs and storage arrays.

DIF/DIX increases the size of the commonly used 512 byte disk block from 512 to 520 bytes, adding theData Integrity Field (DIF). The DIF stores a checksum value for the data block that is calculated by theHost Bus Adapter (HBA) when a write occurs. The storage device then confirms the checksum onreceipt, and stores both the data and the checksum. Conversely, when a read occurs, the checksum canbe verified by the storage device, and by the receiving HBA. (BZ#1072107)

7.5 Release Notes

142


USB 3.0 support for KVM guestsUSB 3.0 host adapter (xHCI) emulation for KVM guests remains a Technology Preview in Red HatEnterprise Linux 7. (BZ#1103193)

Select Intel network adapters now support SR-IOV as a guest on Hyper-VIn this update for Red Hat Enterprise Linux guest virtual machines running on Hyper-V, a new PCIpassthrough driver adds the ability to use the single-root I/O virtualization (SR-IOV) feature for Intelnetwork adapters supported by the ixgbevf driver. This ability is enabled when the following conditionsare met:

SR-IOV support is enabled for the network interface controller (NIC)

SR-IOV support is enabled for the virtual NIC

SR-IOV support is enabled for the virtual switch

The virtual function (VF) from the NIC is attached to the virtual machine.

The feature is currently supported with Microsoft Windows Server 2016. (BZ#1348508)

No-IOMMU mode for VFIO driversAs a Technology Preview, this update adds No-IOMMU mode for virtual function I/O (VFIO) drivers. TheNo-IOMMU mode provides the user with full user-space I/O (UIO) access to a direct memory access(DMA)-capable device without a I/O memory management unit (IOMMU). Note that in addition to notbeing supported, using this mode is not secure due to the lack of I/O management provided by IOMMU.(BZ#1299662)

virt-v2v can now use vmx configuration files to convert VMware guestsAs a Technology Preview, the virt-v2v utility now includes the vmx input mode, which enables theuser to convert a guest virtual machine from a VMware vmx configuration file. Note that to do this, youalso need access to the corresponding VMware storage, for example by mounting the storage usingNFS. It is also possible to access the storage using SSH, by adding the -it ssh parameter.(BZ#1441197, BZ#1523767)

virt-v2v can convert Debian and Ubuntu guestsAs a technology preview, the virt-v2v utility can now convert Debian and Ubuntu guest virtualmachines. Note that the following problems currently occur when performing this conversion:

virt-v2v cannot change the default kernel in the GRUB2 configuration, and the kernelconfigured in the guest is not changed during the conversion, even if a more optimal version ofthe kernel is available on the guest.

After converting a Debian or Ubuntu VMware guest to KVM, the name of the guest's networkinterface may change, and thus requires manual configuration. (BZ#1387213)

Virtio devices can now use vIOMMUAs a Technology Preview, this update enables virtio devices to use virtual Input/Output MemoryManagement Unit (vIOMMU). This guarantees the security of Direct Memory Access (DMA) by allowingthe device to DMA only to permitted addresses. However, note that only guest virtual machines usingRed Hat Enterprise Linux 7.4 or later are able to use this feature. (BZ#1283251, BZ#1464891)

virt-v2v converts VMWare guests faster and more reliably


143






As a Technology Preview, the virt-v2v utility can now use the VMWare Virtual Disk Development Kit(VDDK) to import a VMWare guest virtual machine to a KVM guest. This enables virt-v2v to connectdirectly to the VMWare ESXi hypervisor, which improves the speed and reliability of the conversion.

Note that this conversion import method requires the external nbdkit utility and its VDDK plug-in.(BZ#1477912)

Open Virtual Machine FirmwareThe Open Virtual Machine Firmware (OVMF) is available as a Technology Preview in Red HatEnterprise Linux 7. OVMF is a UEFI secure boot environment for AMD64 and Intel 64 guests.(BZ#653382)

7.5 Release Notes

144


This part provides a comprehensive listing of all device drivers that are new or have been updated inRed Hat Enterprise Linux 7.5.


145

CHAPTER 51. NEW DRIVERS

Storage Drivers

USB Type-C Connector Class (typec.ko.xz):

USB Type-C Connector System Software Interface driver (typec_ucsi.ko.xz):

TCM QLA2XXX series NPIV enabled fabric driver (tcm_qla2xxx.ko.xz):

Chelsio FCoE driver (csiostor.ko.xz): 1.0.0-ko

Network Drivers

Software simulator of 802.11 radio(s) for mac80211 (mac80211_hwsim.ko.xz):

Vsock monitoring device. Based on nlmon device. (vsockmon.ko.xz):

Cavium LiquidIO Intelligent Server Adapter Virtual Function Driver (liquidio_vf.ko.xz): 1.6.1

Cavium LiquidIO Intelligent Server Adapter Driver (liquidio.ko.xz): 1.6.1

Mellanox firmware flash lib (mlxfw.ko.xz):

Intel OPA Virtual Network driver (opa_vnic.ko.xz):

Broadcom NetXtreme-C/E RoCE Driver Driver (bnxt_re.ko.xz):

VMware Paravirtual RDMA driver (vmw_pvrdma.ko.xz):

Graphics Drivers and Miscellaneous Drivers

MC Driver for Intel SoC using Pondicherry memory controller (pnd2_edac.ko.xz):

ALPS HID driver (hid-alps.ko.xz):

Intel Corporation DAX device (device_dax.ko.xz):

Synopsys DesignWare DMA Controller platform driver (dw_dmac.ko.xz):

Synopsys DesignWare DMA Controller core driver (dw_dmac_core.ko.xz);

Intel Sunrisepoint PCH pinctrl/GPIO driver (pinctrl-sunrisepoint.ko.xz):

Intel Lewisburg pinctrl/GPIO driver (pinctrl-lewisburg.ko.xz):

Intel Cannon Lake PCH pinctrl/GPIO driver (pinctrl-cannonlake.ko.xz):

Intel Denverton SoC pinctrl/GPIO driver (pinctrl-denverton.ko.xz):

Intel Gemini Lake SoC pinctrl/GPIO driver (pinctrl-geminilake.ko.xz):

Intel pinctrl/GPIO core driver (pinctrl-intel.ko.xz):

7.5 Release Notes

146

CHAPTER 52. UPDATED DRIVERS

Storage Driver Updates

The QLogic Fibre Channel HBA driver (qla2xxx.ko.xz) has been updated to version9.00.00.00.07.5-k1.

The Cisco FCoE HBA Driver driver (fnic.ko.xz) has been updated to version 1.6.0.34.

The Emulex OneConnectOpen-iSCSI driver (be2iscsi.ko.xz) has been updated to version11.4.0.1.

The QLogic FCoE driver (bnx2fc.ko.xz) has been updated to version 2.11.8.

The Microsemi Smart Family Controller driver (smartpqi.ko.xz) has been updated to version1.1.2-126.

The Emulex LightPulse Fibre Channel SCSI driver (lpfc.ko.xz) has been updated to version0:11.4.0.4.

The LSI MPT Fusion SAS 3.0 Device driver (mpt3sas.ko.xz) has been updated to version16.100.00.00.

The QLogic QEDF 25/40/50/100Gb FCoE driver (qedf.ko.xz) has been updated to version8.20.5.0.

The Avago MegaRAID SAS driver (megaraid_sas.ko.xz) has been updated to version07.702.06.00-rh2.

The HP Smart Array Controller driver (hpsa.ko.xz) has been updated to version 3.4.20-0-RH2.

Network Driver Updates

The Realtek RTL8152/RTL8153 Based USB Ethernet Adapters driver (r8152.ko.xz) has beenupdated to version v1.08.9.

The Intel(R) 10 Gigabit PCI Express Network driver (ixgbe.ko.xz) has been updated to version5.1.0-k-rh7.5.

The Intel(R) Ethernet Switch Host Interface driver (fm10k.ko.xz) has been updated to version0.21.7-k.

The Intel(R) Ethernet Connection XL710 Network driver (i40e.ko.xz) has been updated toversion 2.1.14-k.

The Intel(R) 10 Gigabit Virtual Function Network driver (ixgbevf.ko.xz) has been updated toversion 4.1.0-k-rh7.5.

The Intel(R) XL710 X710 Virtual Function Network driver (i40evf.ko.xz) has been updated toversion 3.0.1-k.

The Elastic Network Adapter (ENA) driver (ena.ko.xz) has been updated to version 1.2.0k.

The Cisco VIC Ethernet NIC driver (enic.ko.xz) has been updated to version 2.3.0.42.

The Broadcom BCM573xx network driver (bnxt_en.ko.xz) has been updated to version 1.8.0.

CHAPTER 52. UPDATED DRIVERS

147

The QLogic FastLinQ 4xxxx Core Module driver (qed.ko.xz) has been updated to version8.10.11.21.

The QLogic 1/10 GbE Converged/Intelligent Ethernet driver (qlcnic.ko.xz) has been updated toversion 5.3.66.

The Mellanox ConnectX HCA Ethernet driver (mlx4_en.ko.xz) has been updated to version 4.0-0.

The Mellanox ConnectX HCA low-level driver (mlx4_core.ko.xz) has been updated to version4.0-0.

The Mellanox Connect-IB, ConnectX-4 core driver (mlx5_core.ko.xz) has been updated toversion 5.0-0.

Graphics Driver and Miscellaneous Driver Updates

The standalone VMware SVGA device drm driver (vmwgfx.ko.xz) has been updated to version2.14.0.0.

7.5 Release Notes

148

CHAPTER 53. DEPRECATED FUNCTIONALITYThis chapter provides an overview of functionality that has been deprecated in all minor releases ofRed Hat Enterprise Linux 7 up to Red Hat Enterprise Linux 7.5.

Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 7.Deprecated functionality will likely not be supported in future major releases of this product and is notrecommended for new deployments. For the most recent list of deprecated functionality within aparticular major release, refer to the latest version of release documentation.

Deprecated hardware components are not recommended for new deployments on the current or futuremajor releases. Hardware driver updates are limited to security and critical fixes only. Red Hatrecommends replacing this hardware as soon as reasonably feasible.

A package can be deprecated and not recommended for further use. Under certain circumstances, apackage can be removed from a product. Product documentation then identifies more recent packagesthat offer functionality similar, identical, or more advanced to the one deprecated, and provides furtherrecommendations.

Python 2 has been deprecatedPython 2 will be replaced with Python 3 in the next Red Hat Enterprise Linux (RHEL) major release.

See the Conservative Python 3 Porting Guide for information on how to migrate large code bases to Python 3.

Note that Python 3 is available to RHEL customers, and supported on RHEL, as a part of Red HatSoftware Collections.

LVM libraries and LVM Python bindings have been deprecatedThe lvm2app library and LVM Python bindings, which are provided by the lvm2-python-libs package,have been deprecated.

Red Hat recommends the following solutions instead:

The LVM D-Bus API in combination with the lvm2-dbusd service. This requires using Pythonversion 3.

The LVM command-line utilities with JSON formatting; this formatting has been available sincethe lvm2 package version 2.02.158.

Mirrored mirror log has been deprecated in LVMThe mirrored mirror log feature of mirrored LVM volumes has been deprecated. A future major release ofRed Hat Enterprise Linux will no longer support creating or activating LVM volumes with a mirroredmirror log.

The recommended replacements are:

RAID1 LVM volumes. The main advantage of RAID1 volumes is their ability to work even indegraded mode and to recover after a transient failure. For information on converting mirroredvolumes to RAID1, see the Converting a Mirrored LVM Device to a RAID1 Device section in theLVM Administration guide.

Disk mirror log. To convert a mirrored mirror log to disk mirror log, use the following command: lvconvert --mirrorlog disk my_vg/my_lv.

Deprecated packages related to Identity Management and security

CHAPTER 53. DEPRECATED FUNCTIONALITY

149

https://portingguide.readthedocs.io/en/latest/

https://access.redhat.com/site/documentation/en-US/Red_Hat_Software_Collections/

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/logical_volume_manager_administration/lv#convert-mirror-to-RAID1

The following packages have been deprecated and will not be included in a future major release ofRed Hat Enterprise Linux:

Deprecated packages Proposed replacement package or product

authconfig authselect

pam_pkcs11 sssd [a]

pam_krb5 sssd [b]

openldap-servers Depending on the use case, migrate to Identity Management included in Red HatEnterprise Linux or to Red Hat Directory Server. [c]

mod_auth_kerb mod_auth_gssapi

python-kerberos

python-krbV

python-gssapi

python-requests-kerberos

python-requests-gssapi

hesiod No replacement available.

mod_nss mod_ssl

mod_revocator No replacement available.

[a] System Security Services Daemon (SSSD) contains enhanced smart card functionality.

[b] For details on migrating from pam_krb5 to sssd, see Migrating from pam_krb5 to sssd in the upstream SSSDdocumentation.

[c] Red Hat Directory Server requires a valid Directory Server subscription. For details, see also What is the support statusof the LDAP-server shipped with Red Hat Enterprise Linux? in Red Hat Knowledgebase.

7.5 Release Notes

150

https://docs.pagure.org/SSSD.sssd/users/pam_krb5_migration.html


NOTE

In Red Hat Enterprise Linux 7.5, the following packages were added to the table above:

mod_auth_kerb

python-kerberos, python-krbV

python-requests-kerberos

hesiod

mod_nss

mod_revocator

Support for earlier IdM servers and for IdM replicas at domain level 0 will belimitedRed Hat does not plan to support using Identity Management (IdM) servers running Red HatEnterprise Linux (RHEL) 7.3 and earlier with IdM clients of the next major release of RHEL. If you plan tointroduce client systems running on the next major version of RHEL into a deployment that is currentlymanaged by IdM servers running on RHEL 7.3 or earlier, be aware that you will need to upgrade theservers, moving them to RHEL 7.4 or later.

In the next major release of RHEL, only domain level 1 replicas will be supported. Before introducing IdMreplicas running on the next major version of RHEL into an existing deployment, be aware that you willneed to upgrade all IdM servers to RHEL 7.4 or later, and change the domain level to 1.

Consider planning the upgrade in advance if your deployment will be affected.

Bug-fix only support for the nss-pam-ldapd and NIS packages in the next majorrelease of Red Hat Enterprise LinuxThe nss-pam-ldapd packages and packages related to the NIS server will be released in the futuremajor release of Red Hat Enterprise Linux but will receive a limited scope of support. Red Hat will acceptbug reports but no new requests for enhancements. Customers are advised to migrate to the followingreplacement solutions:

Affected packages Proposed replacement package or product

nss-pam-ldapd sssd

ypserv

ypbind

portmap

yp-tools

Identity Management in Red Hat Enterprise Linux

Use the Go Toolset instead of golangThe golang package has been updated to version 1.9 with Red Hat Enterprise Linux 7.5.


151

The golang package, available in the Optional channel, will be removed from a future minor release ofRed Hat Enterprise Linux 7. Developers are encouraged to use the Go Toolset instead, which iscurrently available as a Technology Preview through the Red Hat Developer program.

mesa-private-llvm will be replaced with llvm-privateThe mesa-private-llvm package, which contains the LLVM-based runtime support for Mesa, will bereplaced in a future minor release of Red Hat Enterprise Linux 7 with the llvm-private package.

libdbi and libdbi-drivers have been deprecatedThe libdbi and libdbi-drivers packages will not be included in the next Red Hat Enterprise Linux (RHEL)major release.

Ansible deprecated in the Extras channelAnsible and its dependencies will no longer be updated through the Extras channel. Instead, the RedHat Ansible Engine product has been made available to Red Hat Enterprise Linux subscriptions and willprovide access to the official Ansible Engine channel. Customers who have previously installed Ansibleand its dependencies from the Extras channel are advised to enable and update from the Ansible Enginechannel, or uninstall the packages as future errata will not be provided from the Extras channel.

Ansible was previously provided in Extras (for AMD64 and Intel 64 architectures, and IBM POWER,little endian) as a runtime dependency of, and limited in support to, the Red Hat Enterprise Linux (RHEL)System Roles. Ansible Engine is available today for AMD64 and Intel 64 architectures, with IBMPOWER, little endian availability coming soon.

Note that Ansible in the Extras channel was not a part of the Red Hat Enterprise Linux FIPS validationprocess.

The following packages have been deprecated from the Extras channel:

ansible(-doc)

libtomcrypt

libtommath(-devel)

python2-crypto

python2-jmespath

python-httplib2

python-paramiko(-doc)

python-passlib

sshpass

For more information and guidance, see the Knowledgebase article athttps://access.redhat.com/articles/3359651.

Note that Red Hat Enterprise Linux System Roles, available as a Technology Preview, continue to bedistributed though the Extras channel. Although Red Hat Enterprise Linux System Roles no longerdepend on the ansible package, installing ansible from the Ansible Engine repository is still needed torun playbooks which use Red Hat Enterprise Linux System Roles.

signtool has been deprecated

7.5 Release Notes

152

https://developers.redhat.com/products/clang-llvm-go-rust/hello-world/index.html#fndtn-go


The signtool tool from the nss packages, which uses insecure signature algorithms, has beendeprecated and will not be included in a future minor release of Red Hat Enterprise Linux.

TLS compression support has been removed from nssTo prevent security risks, such as the CRIME attack, support for TLS compression in the NSS library hasbeen removed for all TLS versions. This change preserves the API compatibility.

Public web CAs are no longer trusted for code signing by defaultThe Mozilla CA certificate trust list distributed with Red Hat Enterprise Linux 7.5 no longer trusts anypublic web CAs for code signing. As a consequence, any software that uses the related flags, such as NSS or OpenSSL, no longer trusts these CAs for code signing by default. The software continues to fullysupport code signing trust. Additionally, it is still possible to configure CA certificates as trusted for codesigning using system configuration.

Sendmail has been deprecatedSendmail has been deprecated in Red Hat Enterprise Linux 7. Customers are advised to use Postfix, which is configured as the default Mail Transfer Agent (MTA).

dmraid has been deprecatedSince Red Hat Enterprise Linux 7.5, the dmraid packages have been deprecated. It will stay available inRed Hat Enterprise Linux 7 releases but a future major release will no longer support legacy hybridcombined hardware and software RAID host bus adapter (HBA).

Automatic loading of DCCP modules through socket layer is now disabled bydefaultFor security reasons, automatic loading of the Datagram Congestion Control Protocol (DCCP)kernel modules through socket layer is now disabled by default. This ensures that userspaceapplications can not maliciously load any modules. All DCCP related modules can still be loadedmanually through the modprobe program.

The /etc/modprobe.d/dccp-blacklist.conf configuration file for blacklisting the DCCP modulesis included in the kernel package. Entries included there can be cleared by editing or removing this file torestore the previous behavior.

Note that any re-installation of the same kernel package or of a different version does not overridemanual changes. If the file is manually edited or removed, these changes persist across packageinstallations.

rsyslog-libdbi has been deprecatedThe rsyslog-libdbi sub-package, which contains one of the less used rsyslog module, has beendeprecated and will not be included in a future major release of Red Hat Enterprise Linux. Removingunused or rarely used modules helps users to conveniently find a database output to use.

The inputname option of the rsyslog imudp module has been deprecatedThe inputname option of the imudp module for the rsyslog service has been deprecated. Use the name option instead.

SMBv1 is no longer installed with Microsoft Windows 10 and 2016 (updates 1709and later)Microsoft announced that the Server Message Block version 1 (SMBv1) protocol will no longer beinstalled with the latest versions of Microsoft Windows and Microsoft Windows Server. Microsoft alsorecommends users to disable SMBv1 on earlier versions of these products.


153

This update impacts Red Hat customers who operate their systems in a mixed Linux and Windowsenvironment. Red Hat Enterprise Linux 7.1 and earlier support only the SMBv1 version of the protocol.Support for SMBv2 was introduced in Red Hat Enterprise Linux 7.2.

For details on how this change affects Red Hat customers, see SMBv1 no longer installed with latestMicrosoft Windows 10 and 2016 update (version 1709) in Red Hat Knowledgebase.

FedFS has been deprecatedFederated File System (FedFS) has been deprecated because the upstream FedFS project is no longerbeing actively maintained. Red Hat recommends migrating FedFS installations to use autofs, whichprovides more flexible functionality.

Btrfs has been deprecatedThe Btrfs file system has been in Technology Preview state since the initial release of Red HatEnterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removedin a future major release of Red Hat Enterprise Linux.

The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last plannedupdate to this feature.

tcp_wrappers deprecatedThe tcp_wrappers package has been deprecated. tcp_wrappers provides a library and a small daemonprogram that can monitor and filter incoming requests for audit, cyrus-imap, dovecot, nfs-utils, openssh,openldap, proftpd, sendmail, stunnel, syslog-ng, vsftpd, and various other network services.

nautilus-open-terminal replaced with gnome-terminal-nautilusSince Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated andreplaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension thatadds the Open in Terminal option to the right-click context menu in Nautilus. nautilus-open-terminal isreplaced by gnome-terminal-nautilus during the system upgrade.

sslwrap() removed from PythonThe sslwrap() function has been removed from Python 2.7. After the 466 Python EnhancementProposal was implemented, using this function resulted in a segmentation fault. The removal isconsistent with upstream.

Red Hat recommends using the ssl.SSLContext class and the ssl.SSLContext.wrap_socket()function instead. Most applications can simply use the ssl.create_default_context() function,which creates a context with secure default settings. The default context uses the system's default truststore, too.

Symbols from libraries linked as dependencies no longer resolved by ldPreviously, the ld linker resolved any symbols present in any linked library, even if some libraries werelinked only implicitly as dependencies of other libraries. This allowed developers to use symbols from theimplicitly linked libraries in application code and omit explicitly specifying these libraries for linking.

For security reasons, ld has been changed to not resolve references to symbols in libraries linkedimplicitly as dependencies.

As a result, linking with ld fails when application code attempts to use symbols from libraries notdeclared for linking and linked only implicitly as dependencies. To use symbols from libraries linked asdependencies, developers must explicitly link against these libraries as well.

7.5 Release Notes

154


https://www.python.org/dev/peps/pep-0466/

To restore the previous behavior of ld, use the -copy-dt-needed-entries command-line option.(BZ#1292230)

Windows guest virtual machine support limitedAs of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specificsubscription programs, such as Advanced Mission Critical (AMC).

libnetlink is deprecatedThe libnetlink library contained in the iproute-devel package has been deprecated. The user shoulduse the libnl and libmnl libraries instead.

S3 and S4 power management states for KVM have been deprecatedNative KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management stateshas been discontinued. This feature was previously available as a Technology Preview.

The Certificate Server plug-in udnPwdDirAuth is discontinuedThe udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server was removed in Red HatEnterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with aprofile using the udnPwdDirAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discontinuedThe Red Hat Access plug-in for Identity Management (IdM) was removed in Red HatEnterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automaticallyuninstalled. Features previously provided by the plug-in, such as Knowledgebase access and supportcase engagement, are still available through the Red Hat Customer Portal. Red Hat recommends toexplore alternatives, such as the redhat-support-tool tool.

The Ipsilon identity provider service for federated single sign-onThe ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilonlinks authentication providers and applications or utilities to allow for single sign-on (SSO).

Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. Theipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.

Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloakcommunity project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designatedas the standard web SSO solution across the Red Hat product portfolio.

Several rsyslog options deprecatedThe rsyslog utility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options.These options no longer have any effect and cause a warning to be displayed.

The functionality previously provided by the options -c, -u, -q, -x, -A, -Q, -4, and -6 can beachieved using the rsyslog configuration.

There is no replacement for the functionality previously provided by the options -l and -s

Deprecated symbols from the memkind libraryThe following symbols from the memkind library have been deprecated:

memkind_finalize()

memkind_get_num_kind()

memkind_get_kind_by_partition()


155


memkind_get_kind_by_name()

memkind_partition_mmap()

memkind_get_size()

MEMKIND_ERROR_MEMALIGN

MEMKIND_ERROR_MALLCTL

MEMKIND_ERROR_GETCPU

MEMKIND_ERROR_PMTT

MEMKIND_ERROR_TIEDISTANCE

MEMKIND_ERROR_ALIGNMENT

MEMKIND_ERROR_MALLOCX

MEMKIND_ERROR_REPNAME

MEMKIND_ERROR_PTHREAD

MEMKIND_ERROR_BADPOLICY

MEMKIND_ERROR_REPPOLICY

Options of Sockets API Extensions for SCTP (RFC 6458) deprecatedThe options SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM of Sockets APIExtensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458specification.

New options SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO havebeen implemented as a replacement for the deprecated options.

Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmt

The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the libstorageMgmt library. Users can contact NetApp support to enable the Transport Layer Security(TLS) protocol.

dconf-dbus-1 has been deprecated and dconf-editor is now delivered separatelyWith this update, the dconf-dbus-1 API has been removed. However, the dconf-dbus-1 library hasbeen backported to preserve binary compatibility. Red Hat recommends using the GDBus library insteadof dconf-dbus-1.

The dconf-error.h file has been renamed to dconf-enums.h. In addition, the dconf Editor is nowdelivered in the separate dconf-editor package.

FreeRADIUS no longer accepts Auth-Type := SystemThe FreeRADIUS server no longer accepts the Auth-Type := System option for the rlm_unixauthentication module. This option has been replaced by the use of the unix module in the authorizesection of the configuration file.

7.5 Release Notes

156

Deprecated Device DriversThe following device drivers continue to be supported until the end of life of Red Hat Enterprise Linux 7but will likely not be supported in future major releases of this product and are not recommended for newdeployments.

3w-9xxx

3w-sas

aic79xx

aoe

arcmsr

ata drivers:

acard-ahci

sata_mv

sata_nv

sata_promise

sata_qstor

sata_sil

sata_sil24

sata_sis

sata_svw

sata_sx4

sata_uli

sata_via

sata_vsc

bfa

cxgb3

cxgb3i

hptiop

isci

iw_cxgb3

mptbase

mptctl


157

mptsas

mptscsih

mptspi

mtip32xx

mvsas

mvumi

OSD drivers:

osd

libosd

osst

pata drivers:

pata_acpi

pata_ali

pata_amd

pata_arasan_cf

pata_artop

pata_atiixp

pata_atp867x

pata_cmd64x

pata_cs5536

pata_hpt366

pata_hpt37x

pata_hpt3x2n

pata_hpt3x3

pata_it8213

pata_it821x

pata_jmicron

pata_marvell

pata_netcell

7.5 Release Notes

158

pata_ninja32

pata_oldpiix

pata_pdc2027x

pata_pdc202xx_old

pata_piccolo

pata_rdc

pata_sch

pata_serverworks

pata_sil680

pata_sis

pata_via

pdc_adma

pm80xx(pm8001)

pmcraid

qla3xxx

stex

sx8

ufshcd

Deprecated Adapters

The following adapters from the aacraid driver have been deprecated:

PERC 2/Si (Iguana/PERC2Si), PCI ID 0x1028:0x0001

PERC 3/Di (Opal/PERC3Di), PCI ID 0x1028:0x0002

PERC 3/Si (SlimFast/PERC3Si), PCI ID 0x1028:0x0003

PERC 3/Di (Iguana FlipChip/PERC3DiF), PCI ID 0x1028:0x0004

PERC 3/Di (Viper/PERC3DiV), PCI ID 0x1028:0x0002

PERC 3/Di (Lexus/PERC3DiL), PCI ID 0x1028:0x0002

PERC 3/Di (Jaguar/PERC3DiJ), PCI ID 0x1028:0x000a

PERC 3/Di (Dagger/PERC3DiD), PCI ID 0x1028:0x000a

PERC 3/Di (Boxster/PERC3DiB), PCI ID 0x1028:0x000a


159

catapult, PCI ID 0x9005:0x0283

tomcat, PCI ID 0x9005:0x0284

Adaptec 2120S (Crusader), PCI ID 0x9005:0x0285

Adaptec 2200S (Vulcan), PCI ID 0x9005:0x0285

Adaptec 2200S (Vulcan-2m), PCI ID 0x9005:0x0285

Legend S220 (Legend Crusader), PCI ID 0x9005:0x0285

Legend S230 (Legend Vulcan), PCI ID 0x9005:0x0285

Adaptec 3230S (Harrier), PCI ID 0x9005:0x0285

Adaptec 3240S (Tornado), PCI ID 0x9005:0x0285

ASR-2020ZCR SCSI PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285

ASR-2025ZCR SCSI SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285

ASR-2230S + ASR-2230SLP PCI-X (Lancer), PCI ID 0x9005:0x0286

ASR-2130S (Lancer), PCI ID 0x9005:0x0286

AAR-2820SA (Intruder), PCI ID 0x9005:0x0286



ICP9024RO (Lancer), PCI ID 0x9005:0x0286

ICP9014RO (Lancer), PCI ID 0x9005:0x0286

ICP9047MA (Lancer), PCI ID 0x9005:0x0286

ICP9087MA (Lancer), PCI ID 0x9005:0x0286

ICP5445AU (Hurricane44), PCI ID 0x9005:0x0286

ICP9085LI (Marauder-X), PCI ID 0x9005:0x0285

ICP5085BR (Marauder-E), PCI ID 0x9005:0x0285

ICP9067MA (Intruder-6), PCI ID 0x9005:0x0286

Themisto Jupiter Platform, PCI ID 0x9005:0x0287

Themisto Jupiter Platform, PCI ID 0x9005:0x0200

Callisto Jupiter Platform, PCI ID 0x9005:0x0286

ASR-2020SA SATA PCI-X ZCR (Skyhawk), PCI ID 0x9005:0x0285

ASR-2025SA SATA SO-DIMM PCI-X ZCR (Terminator), PCI ID 0x9005:0x0285

7.5 Release Notes

160

AAR-2410SA PCI SATA 4ch (Jaguar II), PCI ID 0x9005:0x0285

CERC SATA RAID 2 PCI SATA 6ch (DellCorsair), PCI ID 0x9005:0x0285

AAR-2810SA PCI SATA 8ch (Corsair-8), PCI ID 0x9005:0x0285

AAR-21610SA PCI SATA 16ch (Corsair-16), PCI ID 0x9005:0x0285

ESD SO-DIMM PCI-X SATA ZCR (Prowler), PCI ID 0x9005:0x0285

AAR-2610SA PCI SATA 6ch, PCI ID 0x9005:0x0285

ASR-2240S (SabreExpress), PCI ID 0x9005:0x0285

ASR-4005, PCI ID 0x9005:0x0285

IBM 8i (AvonPark), PCI ID 0x9005:0x0285

IBM 8i (AvonPark Lite), PCI ID 0x9005:0x0285

IBM 8k/8k-l8 (Aurora), PCI ID 0x9005:0x0286

IBM 8k/8k-l4 (Aurora Lite), PCI ID 0x9005:0x0286

ASR-4000 (BlackBird), PCI ID 0x9005:0x0285

ASR-4800SAS (Marauder-X), PCI ID 0x9005:0x0285

ASR-4805SAS (Marauder-E), PCI ID 0x9005:0x0285

ASR-3800 (Hurricane44), PCI ID 0x9005:0x0286

Perc 320/DC, PCI ID 0x9005:0x0285

Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046

Adaptec 5400S (Mustang), PCI ID 0x1011:0x0046

Dell PERC2/QC, PCI ID 0x1011:0x0046

HP NetRAID-4M, PCI ID 0x1011:0x0046

Dell Catchall, PCI ID 0x9005:0x0285

Legend Catchall, PCI ID 0x9005:0x0285

Adaptec Catch All, PCI ID 0x9005:0x0285

Adaptec Rocket Catch All, PCI ID 0x9005:0x0286

Adaptec NEMER/ARK Catch All, PCI ID 0x9005:0x0288

The following adapters from the mpt2sas driver have been deprecated:

SAS2004, PCI ID 0x1000:0x0070

SAS2008, PCI ID 0x1000:0x0072


161

SAS2108_1, PCI ID 0x1000:0x0074

SAS2108_2, PCI ID 0x1000:0x0076

SAS2108_3, PCI ID 0x1000:0x0077

SAS2116_1, PCI ID 0x1000:0x0064

SAS2116_2, PCI ID 0x1000:0x0065

SSS6200, PCI ID 0x1000:0x007E

The following adapters from the megaraid_sas driver have been deprecated:

Dell PERC5, PCI ID 0x1028:0x15

SAS1078R, PCI ID 0x1000:0x60

SAS1078DE, PCI ID 0x1000:0x7C

SAS1064R, PCI ID 0x1000:0x411

VERDE_ZCR, PCI ID 0x1000:0x413

SAS1078GEN2, PCI ID 0x1000:0x78

SAS0079GEN2, PCI ID 0x1000:0x79

SAS0073SKINNY, PCI ID 0x1000:0x73

SAS0071SKINNY, PCI ID 0x1000:0x71

The following adapters from the qla2xxx driver have been deprecated:

ISP24xx, PCI ID 0x1077:0x2422

ISP24xx, PCI ID 0x1077:0x2432

ISP2422, PCI ID 0x1077:0x5422

QLE220, PCI ID 0x1077:0x5432

QLE81xx, PCI ID 0x1077:0x8001

QLE10000, PCI ID 0x1077:0xF000


QLE8000, PCI ID 0x1077:0x8432


The following adapters from the qla4xxx driver have been deprecated:

QLOGIC_ISP8022, PCI ID 0x1077:0x8022


7.5 Release Notes

162


The following Ethernet adapter controlled by the be2net driver has been deprecated:

TIGERSHARK NIC, PCI ID 0x0700

The following adapters from the be2iscsi driver have been deprecated:

Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212

OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702

OCe10100 BE2 adapter family, PCI ID 0x703

The following adapters from the lpfc driver have been deprecated:

BladeEngine 2 (BE2) Devices

TIGERSHARK FCOE, PCI ID 0x0704

Fibre Channel (FC) Devices

FIREFLY, PCI ID 0x1ae5

PROTEUS_VF, PCI ID 0xe100

BALIUS, PCI ID 0xe131

PROTEUS_PF, PCI ID 0xe180

RFLY, PCI ID 0xf095

PFLY, PCI ID 0xf098

LP101, PCI ID 0xf0a1

TFLY, PCI ID 0xf0a5

BSMB, PCI ID 0xf0d1

BMID, PCI ID 0xf0d5

ZSMB, PCI ID 0xf0e1

ZMID, PCI ID 0xf0e5

NEPTUNE, PCI ID 0xf0f5

NEPTUNE_SCSP, PCI ID 0xf0f6

NEPTUNE_DCSP, PCI ID 0xf0f7

FALCON, PCI ID 0xf180

SUPERFLY, PCI ID 0xf700

DRAGONFLY, PCI ID 0xf800


163

CENTAUR, PCI ID 0xf900

PEGASUS, PCI ID 0xf980

THOR, PCI ID 0xfa00

VIPER, PCI ID 0xfb00

LP10000S, PCI ID 0xfc00

LP11000S, PCI ID 0xfc10

LPE11000S, PCI ID 0xfc20

PROTEUS_S, PCI ID 0xfc50

HELIOS, PCI ID 0xfd00

HELIOS_SCSP, PCI ID 0xfd11

HELIOS_DCSP, PCI ID 0xfd12

ZEPHYR, PCI ID 0xfe00

HORNET, PCI ID 0xfe05

ZEPHYR_SCSP, PCI ID 0xfe11

ZEPHYR_DCSP, PCI ID 0xfe12

To check the PCI IDs of the hardware on your system, run the lspci -nn command.

Note that other adapters from the mentioned drivers that are not listed here remain unchanged.

The libcxgb3 library and the cxgb3 firmware package have been deprecatedThe libcxgb3 library provided by the libibverbs package and the cxgb3 firmware package have beendeprecated. They continue to be supported in Red Hat Enterprise Linux 7 but will likely not be supportedin the next major releases of this product. This change corresponds with the deprecation of the cxgb3, cxgb3i, and iw_cxgb3 drivers listed above.

SFN4XXX adapters have been deprecatedStarting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have beendeprecated. Previously, Solarflare had a single driver sfc for all adapters. Recently, support ofSFN4XXX was split from sfc and moved into a new SFN4XXX-only driver, called sfc-falcon. Bothdrivers continue to be supported at this time, but sfc-falcon and SFN4XXX support is scheduled forremoval in a future major release.

Software-initiated-only FCoE storage technologies have been deprecatedThe software-initiated-only type of the Fibre Channel over Ethernet (FCoE) storage technology has beendeprecated due to limited customer adoption. The software-initiated-only storage technology will remainsupported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates the intention toremove software-initiated-based FCoE support in a future major release of Red Hat Enterprise Linux.

It is important to note that the hardware support and the associated user-space tools (such as drivers, libfc, or libfcoe) are unaffected by this deprecation notice.

7.5 Release Notes

164

Containers using the libvirt-lxc tooling have been deprecatedThe following libvirt-lxc packages are deprecated since Red Hat Enterprise Linux 7.1:

libvirt-daemon-driver-lxc

libvirt-daemon-lxc

libvirt-login-shell

Future development on the Linux containers framework is now based on the docker command-lineinterface. libvirt-lxc tooling may be removed in a future release of Red Hat Enterprise Linux (includingRed Hat Enterprise Linux 7) and should not be relied upon for developing custom container managementapplications.

For more information, see the Red Hat KnowledgeBase article.


165


PART V. KNOWN ISSUES

This part documents known problems in Red Hat Enterprise Linux 7.5.

7.5 Release Notes

166


A crash is reported after an unsuccessful lightweight CA key retrievalWhen using Identity Management (IdM), if retrieving the lightweight certificate authority (CA) key fails forsome reason, the operation terminates unexpectedly with an uncaught exception. The exception resultsin a crash report. (BZ#1478366)

OpenLDAP causes programs to fail immediately in case of incorrect configurationPreviously, the Mozilla implementation of Network Security Services (Mozilla NSS) silently ignoredcertain misconfigurations in the OpenLDAP suite, which caused programs to fail only on connectionestablishment. With this update, OpenLDAP has switched from Mozilla NSS to OpenSSL (see therelease note for BZ#1400578). With OpenSSL, the TLS context is established immediately, andtherefore programs fail immediately. This behavior prevents potential security risks, such as keepingnon-working TLS ports open.

To work around this problem, verify and fix your OpenLDAP configuration. (BZ#1515833)

OpenLDAP reports failures when CACertFile or CACertDir point to an invalidlocationPreviously, if the CACertFile or CACertDir options pointed to an unreadable or otherwise unloadablelocation, the Mozilla implementation of Network Security Services (Mozilla NSS) did not necessarilyconsider it a misconfiguration. With this update, the OpenLDAP suite has switched from Mozilla NSS toOpenSSL (see the release note for BZ#1400578). With OpenSSL, if CACertFile or CACertDir point tosuch an invalid location, the problem is no longer silently ignored.

To avoid the failures, remove the misconfigured option, or make sure it points to a loadable location.

Additionally, OpenLDAP now applies stricter rules for the contents of the directory to which CACertDirpoints. If you experience errors when using certificates in this directory, it is possible the directory is in aninconsistent state. To fix this problem, run the openssl rehash command on the folder.

For details on CACertFile and CACertDir, see these man pages: ldap.conf(5), slapd.conf(5), slapd-config(5), and ldap_set_option(3). (BZ#1515918, BZ#1515839)

OpenLDAP does not update TLS configuration after inconsistent changes in cn=config

With this update, OpenLDAP has switched from the Mozilla implementation of Network Security Services(Mozilla NSS) to OpenSSL (see the release note for BZ#1400578). With OpenSSL, inconsistent changesof the TLS configuration in the cn=config database break the TLS protocol on the server, andconfiguration is not updated as expected. To avoid this problem, use only one change record to updatethe TLS configuration in cn=config. See the ldif(5) man page for a definition of a change record.(BZ#1524193)

Identity Management terminates connections unexpectedlyDue to a bug in Directory Server, Identity Management (IdM) terminates connections unexpectedly aftera certain amount of time, and authentication fails with the following error:

kinit: Generic error (see e-text) while getting initial credentials

The problem occurs if you installed IdM on Red Hat Enterprise Linux 7.5 from an offline media. To workaround the problem, run yum update to receive the updated 389-ds-base package which fixes theproblem. (BZ#1544477)

Directory Server can terminate unexpectedly during shutdown


167




Directory Server uses the nunc-stans framework to manage connection events. If a connection isclosed when shutting down the server, a nunc-stans job can access a freed connection structure. As aconsequence, Directory Server can terminate unexpectedly. Because this situation occurs in a late stateof the shutdown process, data is not corrupted or lost. Currently, no workaround is available.(BZ#1517383)

7.5 Release Notes

168



Data corruption occurs on RAID 10 reshape on top of VDO with el7 kernel.RAID 10 reshape (with both LVM and mdadm) on top of VDO corrupts data and can eventually trigger theraid10.c:1011 kernel bug. Stacking RAID 10 (or other RAID types) on top of VDO does not takeadvantage of the deduplication/compression capabilities of VDO and is not recommended. (BZ#1528466,BZ#1530776)


169



Memory consumption of applications using libcurl grows with each TLSconnectionThe Network Security Services (NSS) PK11_DestroyGenericObject() function does notrelease resources allocated by PK11_CreateGenericObject() early enough. Consequently, thememory allocated by applications using the libcurl package can grow with each TLS connection.

To work around this problem:

Re-use existing TLS connections where possible or

Use certificates and keys from the NSS database instead of loading them from files directly usinglibcurl (BZ#1510247)

OProfile and perf can not sample events on 2nd generation Intel Xeon Phiprocessors when NMI watchdog is disabledDue to a performance counter hardware error, sampling performance events with the default hardwareevent CPU_CLK_UNHALTED may fail on 2nd generation Intel Xeon Phi processors. As a consequence,the OProfile and perf tools fail to receive any samples when the NMI watchdog is disabled. To workaround this problem, enable NMI watchdog before running the perf or operf command:

echo 1 > /proc/sys/kernel/nmi_watchdog...operf some_examined_programopreport...

Note that this workaround allows only the selected tool to work correctly, but not the NMI watchdog,because it is based on the NMI watchdog using the erroneous counter. (BZ#1536004)

7.5 Release Notes

170


CHAPTER 57. DESKTOP

Cannot install downloaded RPM files from NautilusThe yum backend to PackageKit does not support getting details about local files. As a consequence,when an RPM file is double clicked in the Nautilus file manger, the file is not installed, and thefollowing error message is returned:

Sorry, this did not work, File is not supported

To work around this problem, either install the gnome-packagekit package to handle the double-clickaction, or manually install the files using the yum utility. (BZ#1434477)

Caps Lock LED statusWhen using an UTF-8 keymap, even though the caps lock function works properly, the caps lock LED isnot updated while in TTY mode. For the LED to be correctly updated, starting from Red Hat EnterpriseLinux 7.5, the administrator needs to create the /etc/udev/rules.d/99-kbd.rules configuration file asfollows:

ACTION=="add", SUBSYSTEM=="leds",ENV{DEVPATH}=="*/input*::capslock",ATTR{trigger}="kbd-ctrlllock"

To reload the new udev rule, run these commands:

# udevadm control --reload-rules# udevadm trigger

After this change, when pressing the caps lock key, caps lock LED changes its status as expected.(BZ#1470932, BZ#1256895)

Inconsistent GNOME Shell versionsThe GNOME desktop environment currently displays different versions of GNOME Shell. For example,the version returned by the gnome-shell --version command is different from the version found inthe Details section of Settings. (BZ#1511454)

Uninstall the 32-bit version of flatpakUsers are advised to uninstall the 32-bit version of the flatpak packages before updating to Red HatEnterprise Linux 7.5 to prevent possible multilib conflicts. (BZ#1512940)

GNOME downgrade does not workWith the new version of GNOME (3.22) introduced in Red Hat Enterprise Linux 7.4, downgradingGNOME from version 3.22 to 3.14 using the yum downgrade or dnf downgrade commands is nolonger possible. The only workaround lies in replacing the GNOME-related packages with their oldversions. If you decide to downgrade manually, read the GNOME 3.16-3.22 release notes to find whichfunctionalities you are losing. (BZ#1451876)

Wayland ignores keyboard grabs issued by X11 applications, such as virtualmachines viewersCurrently, when running through the XWayland server, graphical clients that rely on the X11 software,such as remote desktop viewers or virtual machine managers, are unable to obtain the system keyboardshortcuts for their own use. As a consequence, activating these shortcuts in a guest window, such as a virt-manager guest display, affects the local desktop instead of the guest.

CHAPTER 57. DESKTOP

171





To work around the problem, use a Wayland native client with support for Wayland shortcuts inhibitorprotocol, or switch back to the default GNOME session on X11 to run the X11 clients that require systemkeyboard shortcuts.

Note that Wayland is available as a Technology Preview. (BZ#1500397)

Superuser should not run graphical sessionsOpening a graphical session for the root user causes various bugs. The reason is that a graphicalsession is not meant to be used by superuser as it can cause serious and unexpected issues, is non-secure, and is against Unix principles. (BZ#1539772)

Keyboard not working in VM browsed by remote-viewer and virt-viewerWhen run inside a Wayland session, remote-viewer and virt-viewer utilities do not recognize keyevents in a virtual machine. Moreover, Xwayland reports the following error:

send_key: assertion 'scancode != 0'

(BZ#1540056)

gnome-system-log does not work on WaylandCurrently, when logged in a Wayland session, the root user is not allowed to access the user's Xwaylanddisplay. As a consequence, running the gnome-system-log utility in terminal does not display systemlog files.

To work around this problem, run the following xhost server access control program as follows:

$ xhost +si:localuser:root

(BZ#1537529)

GUI screen is shown incorrectlyThe X driver for Emulex Pilot2 and Pilot3 cards contains a bug when running at depth of color 16. Thisbug makes the graphics display unusable at this depth.

To make the display usable in some configurations, use 24 bpp image format. Alternatively, disable theshadow framebuffer abstraction layer in the xorg.conf file by using the ShadowFB off option. Notethat disabling the shadow frambuffer may have significant performance impact. (BZ#1499129)

xrandr fails to provide some video modesDifferent video drivers for X11 have different heuristics for adding display resolutions. In particular, theIntel and generic modesetting drivers provide different sets of video modes for some laptop displays.Consequently, some non-native video modes may not be available in all configurations.

To work around this problem, use a different video driver, or add resolutions to the output manually usingthe xrandr(1) command-line utility. (BZ#1478625)

radeon fails to reset hardware correctlyThe radeon kernel driver currently does not reset hardware in the kexec context correctly. Instead, radeon falls over, which causes the rest of the kdump service to fail.

To work around this bug, blacklist radeon in kdump by adding the following line to the /etc/kdump.conf file:

dracut_args --omit-drivers "radeon"

7.5 Release Notes

172




force_rebuild 1

Restart the machine and kdump. After starting kdump, the force_rebuild 1 line may be removedfrom the configuration file.

Note that in this scenario, no graphics will be available during kdump, but kdump will completesuccessfully. (BZ#1509444)

nouveau fails to load Nvidia secboot firmwareIn some Dell Coffeelake systems, the nouveau kernel module fails to load Nvidia secboot firmware forthe pascal cards. As a consequence, Nvidia GPU on these systems occasionally does not work, andsome of the Display ports on the system thus do not work as well.

If this bug causes trouble booting, blacklist nouveau to mitigate the problem. Note that this, however, willnot make non-functional ports on the machine work correctly. (BZ#1535168)

Xchat status icon disappears from Top Icons panelThe Xchat status icon indicating incoming personal messages disappears from top icons panel aftersuspending the system and resuming it again.

Top icons installed using Gnome Software preserve the suspend mode and do not disappear from thepanel. (BZ#1544840)

GDM does not activate hotplugged monitorsWhen a machine is booted without a monitor connected, the GNOME Display Manager (GDM)screen remains deactivated when a monitor is plugged in.

As a workaround, kill GDM while the monitor is plugged in by running:

# systemctl restart gdm.service

Alternatively, use the xrandr utility to activate the monitor. (BZ#1497303)

Wacom Expresskeys Remote not detected as tabletThe gnome-shell and control-center utilities do not detect unpaired Wacom Expresskeys Remote devices (EKRs). As a consequence, within the Wacom settings, there is no way to map thebuttons on the EKR.

Currently, EKR works only when it is paired to a tablet with a built-in pad. (BZ#1543631)

Synaptics dependency removes xorg-x11-driversLater releases of Red Hat Enterprise Linux 7 contain the xorg-x11-drv-libinput driver for X, whichcan potentially provide a superior experience for some input devices. Users attempting to switch to xorg-x11-drv-libinput can try removing the xorg-x11-drv-synaptics driver, which is requiredby the xorg-x11-drivers package. However, removing synaptics requires removing xorg-x11-drivers.

To work around this issue, remove xorg-x11-drivers. This package exists only to install a reasonablecollection of drivers at system setup time, and removing it has no runtime impact. Any X driver alreadyinstalled will be updated as expected. (BZ#1516970)

T470s docking station jack does not work on resumeAfter suspending and resuming ThinkPad T470s connected to the docking station with analog audioinput or output, the user does not receive any output sound. This problem does not affect the analogaudio input or output in the ThinkPad laptop. (BZ#1548055)

CHAPTER 57. DESKTOP

173




Screen occasionally turns off when xrandr is executedWith the Nouveau driver, RANDR operations combined with heavy 3D load, such as querying the screenresolution, may cause screen flickering.

Flickering can be avoided by minimizing concurrent 3D and RANDR operations. Hence, query or resizethe screen while 3D usage is minimal. (BZ#1545550)

HDMI and DP for 8th generation Intel Core processors not enumerating soundinputsIn Red Hat Enterprise Linux, support for alpha status hardware is disabled in the i915 driver by default.which causes that i915 never binds to the audio driver. As a consequence, HDMI and DP video andaudio standards for 8th generation Intel Core processors do not enumerate sound inputs.

To work around this issue, boot your system with the i915.alpha_support=1 line added to the kernelcommand line. (BZ#1540643)

Tray icons are non-responsive for auto-started applicationsThe GNOME Shell TopIcons extension, which shows legacy tray icons on the top of the screen, doesnot work for auto-started applications: the tray icons are non-responsive. This bug does not includeapplications started after the GNOME Session starts.

As a workaround, follow this short procedure to restart the GNOME session: 1. press Alt + F2, 2. type r, 3. press Enter. (BZ#1550115)

Inconsistent panel color on login screenWhen logging to a GNOME Classic session, suspending the laptop and resuming it again, the top panelon login screen is white, instead of black.

This problem does not affect GNOME Classic functionality. (BZ#1541021)

Additional displays are mirrored after attaching a VM guestWhen opening a guest VM monitor and enabling an additional display from the remote-viewer menu,the content of the first display is mirrored to the newly attached one.

As a workaround, resize the remote-viewer frame of any display. The desktop environment will beextended to both displays and guest displays will be properly rearranged. (BZ#1539686)

7.5 Release Notes

174





Selecting the Lithuanian language causes the installer to crashIf you select the Lithuanian (Lietuvių) langauge on the first screen of the graphical installer and press Continue (Tęsti), the installer crashes and displays a traceback message. To work around thisproblem, either use a different language, or avoid the graphical installer and use a different approachsuch as the text mode or a Kickstart installation. (BZ#1527319)

oscap-anaconda-addon fails to remediate when installing in TUI using KickstartThe OpenSCAP Anaconda add-on fails to fully remediate a machine to the specified security policywhen the system is installed using a Kickstart file that sets installation display mode to the text-baseduser interface (TUI) using the text Kickstart command. The problem occurs because packages requiredfor the remediation are not installed.

To work around this problem, you can either use the graphical installer or add packages required by thesecurity policy to the %packages section of the Kickstart file manually. (BZ#1547609)

The grub2-mkimage command fails on UEFI systems by defaultThe grub2-mkimage command may fail on UEFI systems with the following error message:

error: cannot open `/usr/lib/grub/x86_64-efi/moddep.lst': No such file or directory.

This error is caused by a the package grub2-efi-x64-modules package missing from the system. Thepackage is missing due to a known issue where it is not part of the default installation, and it is notmarked as a dependency for grub2-tools which provides the grub2-mkimage command.

The error also causes some other tools which depend on it, such as ReaR, to fail.

To work around this problem, install the grub2-efi-x64-modules, either manually using Yum, or by addingit to the Kickstart file used for installing the system. (BZ#1512493)

Kernel panic during RHEL 7.5 installation on HPE BL920s Gen9 systemsA known issue related to the fix for the Meltdown vulnerability causes a kernel panic with a NULL pointerdereference during the installation of Red Hat Enterprise Linux 7.5 on HPE BL920s Gen2 (Superdome 2)systems. When the problem appears, the following error message is displayed:

WARNING: CPU: 576 PID: 3924 at kernel/workqueue.c:1518__queue_delayed_work+0x184/0x1a0

Then the system reboots, or enters an otherwise faulty state.

There are multiple possible workarounds for this problem:

Add the nopti option to the kernel command line using the boot loader. Once the systemfinishes booting, upgrade to the latest RHEL 7.5 kernel.

Install RHEL 7.4, and then upgrade to the latest RHEL 7.5 kernel.

Install RHEL 7.5 on a single blade. Once the system is installed, upgrade to the latest RHEL 7.5kernel, and then add additional blades as required. (BZ#1540061)

The READONLY=yes option is not sufficient to configure a read-only system


175




In Red Hat Enterprise Linux 6, the READONLY=yes option in the /etc/sysconfig/readonly-rootfile was used to configure a read-only system partition. In Red Hat Enterprise Linux 7, the option is nolonger sufficient, because systemd uses a new approach to mounting the system partition.

To configure a read-only system in Red Hat Enterprise Linux 7:

Set the READONLY=yes option in /etc/sysconfig/readonly-root.

Add the ro option to the root mount point in the /etc/fstab file. (BZ#1444018)

7.5 Release Notes

176


CHAPTER 59. KERNEL

Security patches addressing Spectre and Meltdown issues can causeperformance lossSecurity patches to address issues reported in CVE-2017-5754, CVE-2017-5715, and CVE-2017-5753have been implemented. For more information on the issues, including their impact, detection andresolution, see the Red Hat Knowledgebase article athttps://access.redhat.com/security/vulnerabilities/speculativeexecution. The patches are enabled bydefault but they can cause a performance degradation.

Users can control the impact by using Red Hat Enterprise Linux Tunables. The three debugfs tunablescan be enabled or disabled on the kernel command line at boot, or at runtime using debugfs controls.The tunables control Page Table Isolation (pti), Indirect Branch Restricted Speculation (ibrs), and IndirectBranch Prediction Barriers (ibpb). Red Hat enables each of the features by default as needed to protectthe architecture detected at boot.

Customers who feel confident that their systems are well protected by other means and wish to disablethe CVE mitigations to avoid such a performance loss, should use one of the following options:

1. Add the following flags to the kernel command line, and then reboot the kernel for the changes to takeeffect:

noibrs noibpb nopti

2. Run the following commands to disable the patches at runtime. The change is immediately active anddoes not require a reboot.

# echo 0 > /sys/kernel/debug/x86/pti_enabled# echo 0 > /sys/kernel/debug/x86/ibpb_enabled# echo 0 > /sys/kernel/debug/x86/ibrs_enabled

For more information on controlling the performance impact of the CVE mitigations, refer to the Red HatKnowledgebase article available at https://access.redhat.com/articles/3311301.

See also the Diagnose tab at https://access.redhat.com/security/vulnerabilities/speculativeexecution.(BZ#1532547)

The KSC does not support the xz compressionThe Kernel module Source Checker (the ksc tool) is unable to process the xz compression method,reporting the error:

File format not recognized (Only kernel object files are supported)

To work around the problem, manually uncompress any third party modules using the xz compressionbefore running the ksc tool. (BZ#1441455)

The update of megaraid_sas can lead to a performance decreaseThe megaraid_sas driver has been updated to version 06.811.02.00-rh1, which brings a number ofperformance improvements over the previous version. However, in some cases, with configurationsbased on Solid-state Drives (SSD) a performance decrease has been observed. To work around thisproblem, set the corresponding queue_depth parameter in the /sys/ directory to a higher value up to256, which brings the performance back to its original level. (BZ#1367444)

qedi fails to bind to the iSCSI PCIe function if qede is loaded

CHAPTER 59. KERNEL

177

https://access.redhat.com/security/vulnerabilities/speculativeexecution


https://access.redhat.com/security/vulnerabilities/speculativeexecution

The qede driver, which is the ethernet driver for the QL41xxx network adapters, allocates more MSI-Xvectors than needed. Consequently, the qedi driver fails to bind to the iSCSI PCIe function exposed bythe hardware. To work around this problem, unload both the qede and qedi drivers, and then load only qedi. As a result, qedi is able to probe the iSCSI function exposed through the hardware and find anyattached iSCSI targets. (BZ#1484047)

radeon causes a kernel panicOn some systems equipped with the radeon kernel driver as the secondary or primary GPU, thesystem occasionally fails to start due to a bug in the amdgpu graphics driver.

As a workaround, blacklist the radeon kernel driver. (BZ#1486100)

Kdump kernel fails to boot after a CPU hot add or hot remove operationWhen running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with Kdumpenabled, the Kdump crashkernel will fail to boot if triggered by kexec after a CPU hot add or hot removeoperation. To work around this problem, restart the kdump service after hot adding or hot removing aCPU:

# systemctl restart kdump.service

(BZ#1549355)

7.5 Release Notes

178


Verification of signatures using the MD5 hash algorithm is disabled in Red HatEnterprise Linux 7It is impossible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) thatrequires MD5 signed certificates. To work around this problem, copy the wpa_supplicant.service file fromthe /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line tothe Service section of the file:

Environment=OPENSSL_ENABLE_MD5_VERIFY=1

Then run the systemctl daemon-reload command as root to reload the service file.

Important: Note that MD5 certificates are highly insecure and Red Hat does not recommend using them.(BZ#1062656)


179


NSS accept malformed RSA PKCS#1 v1.5 signatures made with an RSA-PSS keyThe Network Security Services (NSS) libraries do not check the type of an RSA public key usedby a server when validating signatures made using a corresponding private key. Consequently, NSSaccept malformed RSA PKCS#1 v1.5 signatures if they are made with an RSA-PSS key. (BZ#1510156)

Authentication using ssh-agent not from OpenSSH failsOpenSSH since version 7.4 negotiates the SHA-2 signature extension by default. Consequently, if asignature is provided by the ssh-agent program that is not from the current OpenSSH suite and thatdoes not know the SHA-2 extension, authentication fails. To work around this problem, use the OpenSSH ssh-agent to provide signatures. (BZ#1497680)

Parsing of OpenSSH public keys is more strictPreviously, the parsing of public keys was changed to be more strict. As a consequence, additionalspaces between the key type string and the key blob string are no longer ignored, and login attemptswith such keys now fail. To work around this problem, ensure that there is only one space characterbetween the key type and the key blob. (BZ#1493406)

SCAP Workbench fails to generate results-based remediations from tailored profilesThe following error occurs when trying to generate results-based remediation roles from a customizedprofile using the the SCAP Workbench tool:

Error generating remediation role '.../remediation.sh': Exit code of 'oscap' was 1: [output truncated]

To work around this problem, use the oscap command with the --tailoring-file option.(BZ#1533108)

Clevis can log spurious Device is not initialized error messagesIf the Clevis pluggable framework is in the initramfs image and if you have an encrypted volumeconfigured to unlock during boot time and coincidently you have not configured the Clevis binding, thenthe boot log shows spurious Device is not initialized error messages. To work around thisproblem, perform the Clevis binding step, and the error messages for the volume disappear.(BZ#1538759)

Libreswan is not working properly with seccomp=enabled on all configurationsThe set of allowed syscalls in the Libreswan SECCOMP support implementation is currently notcomplete. Consequently, when SECCOMP is enabled in the ipsec.conf file, the syscall filtering rejectseven syscalls needed for proper functioning of the pluto daemon; the daemon is killed, and the ipsecservice is restarted.

To work around this problem, set the seccomp= option back to the disabled state. SECCOMP supportmust remain disabled to run ipsec properly. (BZ#1544463)

OpenSCAP RPM verification rules do not work correctly with VM and container filesystemsThe rpminfo, rpmverify, and rpmverifyfile probes do not fully support offline mode.Consequently, OpenSCAP RPM verification rules do not work correctly when scanning virtual machine(VM) and container file systems in offline mode.

7.5 Release Notes

180






To work around this problem, disable the RPM verification rules or perform a manual check using aguidance in the SCAP Security Guide. Results of scanning VM and container file systems in offlinemode might contain false negatives. (BZ#1556988)

Firefox and other applications using NSS become unresponsive when a smart cardis insertedThe Network Security Services (NSS) libraries incorrectly handle smart card insertion events andstates of such events. Consequently, the Firefox browser and other applications using NSS in theGnome Display Manager (GDM) do not reliably detect the card insertion state and become unresponsivewhile requesting to wait for slot events.

To work around this problem, do not update the nss packages to version 3.34 and wait for the upstreamversion 3.36. The smart cards work correctly with the previous NSS version. (BZ#1557015)


181




No clear indication of profile activation error in the Tuned serviceErrors in the Tuned service configuration or errors occurring when loading Tuned profiles are in somecases not shown in the output of the systemctl status tuned command. As a consequence, iferrors occur that prevent Tuned from loading, Tuned sometimes enters a state with no profile activated.To view possible error messages, consult the output of the tuned-adm active command and checkthe contents of the /var/log/tuned/tuned.log file. (BZ#1385838)

db_hotbackup -c should be used with cautionThe db_hotbackup command with the -c option must be run by the user that owns the database. If theuser is different and the log file reaches its maximal size, a new log file is created with an ownership ofthe user that ran the command, which consequently makes the database unusable for its owner. Thisnote has been added to the db_hotbackup(1) manual page. (BZ#1460077)

Setting ListenStream= options in rpcbind.socket causes systemd-logind to fail andSSH connections to be delayedSetting the ListenStream= options in the rpcbind.socket unit file currently causes a failure of the systemd-logind service and a delay in SSH connections that import system users from a NISdatabase. To work around the problem, remove lines with the ListenStream= option from rpcbind.socket. (BZ#1425758)

ReaR recovery process fails on non-UEFI systems with the grub2-efi-x64 packageinstalledInstalling the grub2-efi-x64 package, which contains the GRUB2 boot loader for UEFI systems, changesthe file /boot/grub2/grubenv into a dead absolute symlink on systems which do not use UEFIfirmware. When attempting to recover such a system using the ReaR (Relax and Recover) recovery tool,the process fails and the system is rendered unbootable. To work around this problem, do not install thegrub2-efi-x64 package on systems where it is not required (systems without UEFI firmware).(BZ#1498748)

ISO images generated by ReaR with Linux TSM fail to workThe password store has changed in the Linux TSM (Tivoli Storage Manager) client versions 8.1.2 andabove. This means ISO images generated by ReaR using TSM will not work, as the TSM node passwordand encryption key will not be included in the ISO file. To fix this problem, add the following line into the /etc/rear/local.conf or /etc/rear/site.conf configuration file:

COPY_AS_IS_TSM=( /etc/adsm /opt/tivoli/tsm/client /usr/local/ibm/gsk8* )

(BZ#1534646)

Unexpected problems with the dbus rebaseThe dbus package rebase with its configuration changes can cause unexpected problems. Thus, it isrecommended to avoid the following actions:

updating only the dbus service

updating only parts of the system

updating from a graphical session

On the contrary, it is recommended to reboot after executing the yum update command as updatingseveral major components including dbus without reboot rarely works as expected. (BZ#1550582)

7.5 Release Notes

182






CHAPTER 63. STORAGE

The kexec -e command might cause storage errors with advanced storagecontrollersWhen using the kexec utility with the -e option, the system does not go through the standard Linuxshutdown sequence before booting the next kernel. This might cause problems for systems employingadvanced storage controllers, such as the Qlogic QMH2672 Fibre Channel adapter, because thesecontrollers rely on the shutdown sequence to assure the storage has settled at the time of a reboot.When invoking the kexec -e command on such systems, storage related errors might occur as the kexec operation progresses, and the newly loaded kernel might fail to discover some or all attachedstorage.

If you see similar symptoms on your system when attempting kexec -e, use kexec without the -eoption instead. This has been observed to work reliably. (BZ#1303244)

CHAPTER 63. STORAGE

183


Guests reporting cmt, mbmt, or mbml perf events fail to bootIf a guest virtual machine is set to report cmt, mbmt, or mbml perf events, it is unable to boot after thehost is upgraded to Red Hat Enterprise Linux 7.5.

To work around this problem, disable this setting by removing lines that contain event name='cmt', event name='mbmt', or event name='mbml' from the <perf> section of the domain XMLconfiguration file. (BZ#1532553)

7.5 Release Notes

184


APPENDIX A. COMPONENT VERSIONSThis appendix provides a list of key components and their versions in the Red Hat Enterprise Linux 7.5release.

Table A.1. Component Versions

Component Version

kernel 3.10.0-862

kernel-alt 4.14.0-49

QLogic qla2xxx driver 9.00.00.00.07.5-k1

QLogic qla4xxx driver 5.04.00.00.07.02-k0

Emulex lpfc driver 0:11.4.0.4

iSCSI initiator utils (iscsi-initiator-utils) 6.2.0.874-7

DM-Multipath (device-mapper-multipath)

0.4.9-119

LVM (lvm2) 2.02.177-4

qemu-kvm[a] 1.5.3-156

qemu-kvm-ma[b] 2.10.0-21

[a] The qemu-kvm packages provide KVM virtualization on AMD64 and Intel 64 systems.

[b] The qemu-kvm-ma packages provide KVM virtualization on IBM POWER8, IBM POWER9, and IBM z Systems. Notethat KVM virtualization on IBM POWER9 and IBM z Systems also requires using the kernel-alt packages.

APPENDIX A. COMPONENT VERSIONS

185

APPENDIX B. LIST OF BUGZILLAS BY COMPONENTThis appendix provides a list of all components and their related Bugzillas that are included in this book.

Table B.1. List of Bugzillas by Component

Component New Features Notable BugFixes

TechnologyPreviews

Known Issues

389-ds-base BZ#1274430,BZ#1352121,BZ#1406351,BZ#1458536,BZ#1467777,BZ#1470169

BZ#1434335,BZ#1445188,BZ#1453155,BZ#1459946,BZ#1464463,BZ#1464505,BZ#1465600,BZ#1476207,BZ#1476322,BZ#1483681,BZ#1498980,BZ#1501058,BZ#1511462,BZ#1517788,BZ#1523183,BZ#1533571

BZ#1517383,BZ#1544477

Doc-config-command-file-reference

BZ#1479012

ModemManager BZ#1483051

NetworkManager BZ#1350830,BZ#1398925,BZ#1436531

OVMF BZ#653382

OpenIPMI BZ#1457805

adcli BZ#1471021

anaconda BZ#1328576,BZ#1448459,BZ#1450922

BZ#1452873,BZ#1465944,BZ#1478970

ansible BZ#1313263

at BZ#1481355

audit BZ#1476406

7.5 Release Notes

186

binutils BZ#1385959,BZ#1406430,BZ#1472955,BZ#1485398

BZ#1465318,BZ#1488889

checkpolicy BZ#1494179

chrony BZ#1482565

clevis BZ#1475406,BZ#1475408,BZ#1478888

BZ#1500975 BZ#1538759

clufter BZ#1509381

cockpit BZ#1470780

conman BZ#1435840

control-center BZ#1481407 BZ#1543631

corosync BZ#1413573

criu BZ#1400230

cups BZ#1434153,BZ#1466497

curl BZ#1409208 BZ#1511523 BZ#1510247

custodia BZ#1403214

dbus BZ#1460262,BZ#1480264

BZ#1550582

device-mapper-multipath BZ#1452210,BZ#1456955

BZ#1459370

dhcp BZ#1394727,BZ#1396985

ding-libs BZ#1480270

distribution BZ#1512020,BZ#1512021

BZ#1062656


TechnologyPreviews

Known Issues


187

dnsmasq BZ#1188259

emacs-php-mode BZ#1266953

exiv2 BZ#1420227

fence-agents BZ#1451776,BZ#1476009

BZ#1519370 BZ#1476401

firewalld BZ#1462977

freeipmi BZ#1435848

fwupd BZ#1420913

gcc BZ#1535655 BZ#1468546,BZ#1469384,BZ#1487434

gdb BZ#1228556,BZ#1480498,BZ#1493675,BZ#1518243

genwqe-tools BZ#1456492

ghostscript BZ#1473337,BZ#1479852

gimp BZ#1210840

gjs BZ#1523121

glibc BZ#677316,BZ#1375235,BZ#1448822,BZ#1498925

BZ#1443236,BZ#1504969

gnome-settings-daemon BZ#1481410

gnome-shell BZ#1481381 BZ#1481395 BZ#1497303,BZ#1511454,BZ#1539772,BZ#1541021


TechnologyPreviews

Known Issues

7.5 Release Notes

188

gnome-shell-extensions BZ#1544840,BZ#1550115

gnome-software BZ#1434477

grub2 BZ#1512493

gssproxy BZ#1462974,BZ#1488629

httpd BZ#1274890

hwdata BZ#1489281

ima-evm-utils BZ#1384450

initscripts BZ#1357658,BZ#1478419

BZ#1364895,BZ#1380496,BZ#1395391,BZ#1455419

BZ#1444018

inkscape BZ#1480184

ipa BZ#1484683 BZ#1415162 BZ#1115294,BZ#1298286

BZ#1478366

ipa-server-docker BZ#1405325

iproute BZ#1435647,BZ#1456539,BZ#1468280

iptables BZ#1402021


TechnologyPreviews

Known Issues


189

kernel BZ#1102454,BZ#1226051,BZ#1272615,BZ#1273769,BZ#1308630,BZ#1349668,BZ#1361287,BZ#1379551,BZ#1400689,BZ#1409365,BZ#1421164,BZ#1429710,BZ#1430637,BZ#1451916,BZ#1454745,BZ#1454965,BZ#1456687,BZ#1457561,BZ#1457572,BZ#1458278,BZ#1465223,BZ#1467288,BZ#1467335,BZ#1468286,BZ#1469857,BZ#1475409,BZ#1481303,BZ#1482253,BZ#1491226,BZ#1494476,BZ#1538911

BZ#947004,BZ#1317099,BZ#1373534,BZ#1383691,BZ#1432288,BZ#1438695,BZ#1442618,BZ#1442784,BZ#1445046,BZ#1446684,BZ#1448534,BZ#1450529,BZ#1457046,BZ#1460106,BZ#1460213,BZ#1460641,BZ#1462363,BZ#1465711,BZ#1467280,BZ#1467521,BZ#1467561,BZ#1469200,BZ#1469247,BZ#1472892,BZ#1476040,BZ#1476709,BZ#1479043,BZ#1506338,BZ#1507821

BZ#916382,BZ#1109348,BZ#1111712,BZ#1205497,BZ#1206277,BZ#1230959,BZ#1274459,BZ#1299662,BZ#1305092,BZ#1348508,BZ#1350553,BZ#1387768,BZ#1391561,BZ#1393375,BZ#1414957,BZ#1457533,BZ#1460849

BZ#1303244,BZ#1367444,BZ#1470932,BZ#1484047,BZ#1486100,BZ#1509444,BZ#1528466,BZ#1535168,BZ#1539686,BZ#1540061,BZ#1540643,BZ#1548055

kernel-rt BZ#1401061,BZ#1462329

BZ#1297061

kexec-tools BZ#1431974 BZ#1448861,BZ#1476219

BZ#1549355

kmod BZ#1361857

krb5 BZ#1462982 BZ#1431198,BZ#1460089

ksc BZ#1441455

libdb BZ#1349779 BZ#1460077


TechnologyPreviews

Known Issues

7.5 Release Notes

190

libguestfs BZ#1172425,BZ#1438710,BZ#1448739,BZ#1451665

BZ#1472719,BZ#1506572

BZ#1387213,BZ#1441197,BZ#1477912

libica BZ#1376836

libnftnl BZ#1332585

libpfm BZ#1474999

libreoffice BZ#1474303

libreswan BZ#1300763,BZ#1457904,BZ#1463062,BZ#1471763,BZ#1475434

BZ#1375750 BZ#1544463

libsmbios BZ#1463329

libstoragemgmt BZ#1119909

libusnic_verbs BZ#916384

libva BZ#1456903

libvirt BZ#1289368,BZ#1292451,BZ#1472263

BZ#1283251 BZ#1532553

libvncserver BZ#1314814

libyami BZ#1456906

linuxptp BZ#1002657

logrotate BZ#1465720

lorax BZ#1458937,BZ#1478448

BZ#1341280

lvm2 BZ#1113681,BZ#1278192


TechnologyPreviews

Known Issues


191

m17n-db BZ#1058510

mailx BZ#1474130

mod_nss BZ#1461580

mpg123 BZ#1481753

mutter BZ#1481386 BZ#1500397,BZ#1537529

net-snmp BZ#1329338

netpbm BZ#1381122

nftables BZ#1472261 BZ#1451404

nmap BZ#1460249

nss BZ#1395803,BZ#1457789

BZ#1425514,BZ#1431210,BZ#1432142

BZ#1510156,BZ#1557015

numpy BZ#1167156

opal-prd BZ#1456536

opencryptoki BZ#1456520

openldap BZ#1400578

opensc BZ#1473418

openscap BZ#1505517 BZ#1556988

openssh BZ#1478035 BZ#1488083,BZ#1496808,BZ#1517226

BZ#1493406,BZ#1497680

openssl-ibmca BZ#1456516

oprofile BZ#1465354

oscap-anaconda-addon BZ#1547609


TechnologyPreviews

Known Issues

7.5 Release Notes

192

other BZ#1432080,BZ#1499059,BZ#1543995,BZ#1578075

BZ#1062759,BZ#1072107,BZ#1259547,BZ#1464377,BZ#1477977

BZ#1451876,BZ#1512940,BZ#1515833,BZ#1515918,BZ#1524193,BZ#1532547,BZ#1536004

pacemaker BZ#1427648,BZ#1461976

BZ#1394418,BZ#1489728

pam BZ#1509338

parted BZ#1423357 BZ#1316239

pcp BZ#1472153

pcs BZ#1367808,BZ#1415197

BZ#1421702,BZ#1432283,BZ#1508351

BZ#1433016

pcsc-lite-ccid BZ#1435668

perl-DBD-MySQL BZ#1311646

perl-DateTime-TimeZone BZ#1241818

perl-HTTP-Daemon BZ#1413065

perl-IO-Socket-SSL BZ#1402588

perl-version BZ#1378885

php BZ#1410010


TechnologyPreviews

Known Issues


193

pki-core BZ#1024558,BZ#1400645,BZ#1419761,BZ#1445532,BZ#1446786,BZ#1452347,BZ#1464549,BZ#1469169,BZ#1473452,BZ#1523410,BZ#1523443

BZ#1402280,BZ#1404794,BZ#1446579,BZ#1461217,BZ#1461524,BZ#1465142,BZ#1474658,BZ#1479663,BZ#1484359,BZ#1486225,BZ#1491052,BZ#1498957,BZ#1499054,BZ#1500474,BZ#1506819,BZ#1518096,BZ#1520277,BZ#1532759,BZ#1539125,BZ#1541853

policycoreutils BZ#1471809

python BZ#1483438

python-blivet BZ#1527319

python-urllib3 BZ#1434114

python-virtualenv BZ#1461154

qemu-kvm BZ#1379822,BZ#1411490

BZ#1455451,BZ#1470244

BZ#1103193

qemu-kvm-ma BZ#1400070,BZ#1465503,BZ#1531672

qgnomeplatform BZ#1479351

qt5-qtbase BZ#1479097

quota BZ#1393849


TechnologyPreviews

Known Issues

7.5 Release Notes

194

rear BZ#1388653,BZ#1479002,BZ#1492177,BZ#1506231,BZ#1532676

BZ#1498748,BZ#1534646

resource-agents BZ#1436189 BZ#1445628,BZ#1457382,BZ#1462802

rhn-client-tools BZ#1494389

rhnlib BZ#1503953

rhnsd BZ#1475039,BZ#1480306,BZ#1489989

rpcbind BZ#1425758

rpm BZ#1278924,BZ#1406611

rsync BZ#1393543,BZ#1432899

samba BZ#1470048

sane-backends BZ#1458903

sbd BZ#1462002,BZ#1499864

BZ#1468580,BZ#1525981

scap-security-guide BZ#1404429,BZ#1472499

scap-workbench BZ#1479036 BZ#1533108

selinux-policy BZ#1480518,BZ#1494172

BZ#1470735,BZ#1472722

setup BZ#1344007 BZ#1433020

smartmontools BZ#1369731

sos BZ#1183243


TechnologyPreviews

Known Issues


195

spice-gtk BZ#1540056

squid BZ#1452200

sssd BZ#1327705,BZ#1400614,BZ#1416150,BZ#1472255

BZ#1068725

strace BZ#1466535

strongimcv BZ#755087

subscription-manager BZ#1319927,BZ#1329349,BZ#1463325,BZ#1466453,BZ#1499977,BZ#1526622

BZ#1476817,BZ#1507158,BZ#1519512

system-config-kdump BZ#1384943

system-config-kickstart BZ#1272068

systemd BZ#1384014 BZ#1455071 BZ#1284974

systemtap BZ#1473722

tang BZ#1478895

tboot BZ#1457529

tcpdump BZ#1464390,BZ#1490842

tftp BZ#1328827

tpm2-abrmd BZ#1492466

tpm2-tss BZ#1463097

tss2 BZ#1384452

tuned BZ#1467576 BZ#1385838


TechnologyPreviews

Known Issues

7.5 Release Notes

196

unbound BZ#1251440

usbguard BZ#1480100

valgrind BZ#1473725

vdo BZ#1480047

vim BZ#1267826,BZ#1319760

virt-manager BZ#1472271

virt-what BZ#1476878

virt-who BZ#1408556,BZ#1436617

BZ#1389729,BZ#1461417,BZ#1485865

wayland BZ#1481411

webkitgtk4 BZ#1476707

xorg-x11-drivers BZ#1516970

xorg-x11-drv-intel BZ#1545550

xorg-x11-server BZ#1478625,BZ#1499129

yum BZ#1432319 BZ#1458841

yum-utils BZ#1437636,BZ#1470647

BZ#1428210,BZ#1455318


TechnologyPreviews

Known Issues


197

APPENDIX C. REVISION HISTORY

Revision 0.1-2 Wed Jun 13 2018 Lenka ŠpačkováFixed cross-reference links.

Revision 0.1-1 Fri May 18 2018 Lenka ŠpačkováRemoved a duplicate description.

Updated GNOME Shell rebase description.

Revision 0.1-0 Tue May 15 2018 Lenka ŠpačkováShenandoah garbage collector moved to fully supported features (Compiler and Tools).

Added a description of clufter rebase and of support for Sybase ASE failover to features (Clustering).

Added a known issue related to read-only system configuration (Installation and Booting).

Added several bug fix descriptions (Clustering, Storage).

Expanded Wayland Technology Preview description (Desktop).

Revision 0.0-9 Tue Apr 24 2018 Lenka ŠpačkováMoved the tpm2-* packages from Technology Previews to fully supported features (Hardware Enablement).

Added a new OpenSC feature related to CAC Alternate tokens (Security).

Added a known issue related to NSS and smart cards (Security).

Revision 0.0-8 Tue Apr 17 2018 Lenka ŠpačkováUpdated a recommendation related to the sslwrap() deprecation.

Added a PTP device addition note (Virtualization).

Revision 0.0-7 Fri Apr 13 2018 Lenka ŠpačkováUpdated a link to Intel® Omni-Path Architecture documentation.

Revision 0.0-6 Tue Apr 10 2018 Lenka ŠpačkováRelease of the Red Hat Enterprise Linux 7.5 Release Notes.

Revision 0.0-1 Wed Jan 24 2018 Lenka ŠpačkováRelease of the Red Hat Enterprise Linux 7.5 Beta Release Notes.

7.5 Release Notes

198

Red Hat Enterprise Linux 7 Hat Enterprise Linux 7 7.5 Release Notes Release Notes for Red Hat...

Documents

Transcript of Red Hat Enterprise Linux 7 Hat Enterprise Linux 7 7.5 Release Notes Release Notes for Red Hat...